Bug 1903409 (CVE-2020-1971) - CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference
Summary: CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1971
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1903416 1903417 1903418 1903419 1903420 1903421 1903432 1905410 1905411 1905412 1905413 1905414 1905603 1905604 1905605 1905838 1905839 1905840 1905841 1905842 1905843 1905844 1905845 1905846 1905847 1905848
Blocks: 1903410 1954955
TreeView+ depends on / blocked
 
Reported: 2020-12-02 02:46 UTC by Huzaifa S. Sidhpurwala
Modified: 2024-06-13 23:36 UTC (History)
38 users (show)

See Also:
Fixed In Version: openssl 1.1.1i
Doc Type: If docs needed, set a value
Doc Text:
A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-12-15 12:47:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:5592 0 None None None 2020-12-16 21:38:47 UTC
Red Hat Product Errata RHBA-2020:5593 0 None None None 2020-12-16 21:45:22 UTC
Red Hat Product Errata RHBA-2020:5594 0 None None None 2020-12-16 21:44:37 UTC
Red Hat Product Errata RHBA-2020:5595 0 None None None 2020-12-16 21:42:47 UTC
Red Hat Product Errata RHBA-2020:5610 0 None None None 2020-12-17 08:51:22 UTC
Red Hat Product Errata RHBA-2020:5631 0 None None None 2020-12-17 22:59:21 UTC
Red Hat Product Errata RHBA-2020:5632 0 None None None 2020-12-17 23:44:33 UTC
Red Hat Product Errata RHBA-2020:5668 0 None None None 2020-12-22 18:26:52 UTC
Red Hat Product Errata RHBA-2020:5670 0 None None None 2020-12-22 14:56:32 UTC
Red Hat Product Errata RHBA-2020:5671 0 None None None 2020-12-22 15:02:41 UTC
Red Hat Product Errata RHBA-2021:0001 0 None None None 2021-01-04 01:55:29 UTC
Red Hat Product Errata RHBA-2021:0006 0 None None None 2021-01-04 09:57:20 UTC
Red Hat Product Errata RHBA-2021:0015 0 None None None 2021-01-04 21:43:21 UTC
Red Hat Product Errata RHBA-2021:0016 0 None None None 2021-01-04 22:39:13 UTC
Red Hat Product Errata RHBA-2021:0017 0 None None None 2021-01-05 07:49:27 UTC
Red Hat Product Errata RHBA-2021:0026 0 None None None 2021-01-05 16:45:32 UTC
Red Hat Product Errata RHBA-2021:0027 0 None None None 2021-01-05 21:23:21 UTC
Red Hat Product Errata RHBA-2021:0044 0 None None None 2021-01-11 12:55:32 UTC
Red Hat Product Errata RHBA-2021:0048 0 None None None 2021-01-07 15:45:58 UTC
Red Hat Product Errata RHBA-2021:0049 0 None None None 2021-01-07 15:54:32 UTC
Red Hat Product Errata RHBA-2021:0051 0 None None None 2021-01-11 06:36:25 UTC
Red Hat Product Errata RHBA-2021:0059 0 None None None 2021-01-11 13:04:38 UTC
Red Hat Product Errata RHBA-2021:0060 0 None None None 2021-01-11 13:17:39 UTC
Red Hat Product Errata RHBA-2021:0061 0 None None None 2021-01-11 13:18:54 UTC
Red Hat Product Errata RHBA-2021:0062 0 None None None 2021-01-11 13:09:49 UTC
Red Hat Product Errata RHBA-2021:0063 0 None None None 2021-01-11 13:19:30 UTC
Red Hat Product Errata RHBA-2021:0064 0 None None None 2021-01-11 13:18:21 UTC
Red Hat Product Errata RHBA-2021:0071 0 None None None 2021-01-11 23:00:23 UTC
Red Hat Product Errata RHBA-2021:0082 0 None None None 2021-01-12 15:08:37 UTC
Red Hat Product Errata RHBA-2021:0117 0 None None None 2021-01-13 21:14:41 UTC
Red Hat Product Errata RHBA-2021:0120 0 None None None 2021-01-14 09:37:36 UTC
Red Hat Product Errata RHBA-2021:0122 0 None None None 2021-01-14 08:16:07 UTC
Red Hat Product Errata RHBA-2021:0123 0 None None None 2021-01-14 09:33:50 UTC
Red Hat Product Errata RHBA-2021:0124 0 None None None 2021-01-14 09:34:21 UTC
Red Hat Product Errata RHBA-2021:0125 0 None None None 2021-01-14 09:25:49 UTC
Red Hat Product Errata RHBA-2021:0126 0 None None None 2021-01-14 10:53:05 UTC
Red Hat Product Errata RHBA-2021:0127 0 None None None 2021-01-14 10:53:30 UTC
Red Hat Product Errata RHBA-2021:0128 0 None None None 2021-01-14 10:53:54 UTC
Red Hat Product Errata RHBA-2021:0129 0 None None None 2021-01-14 10:52:07 UTC
Red Hat Product Errata RHBA-2021:0130 0 None None None 2021-01-14 10:54:25 UTC
Red Hat Product Errata RHBA-2021:0131 0 None None None 2021-01-14 10:50:38 UTC
Red Hat Product Errata RHBA-2021:0132 0 None None None 2021-01-14 10:43:29 UTC
Red Hat Product Errata RHBA-2021:0133 0 None None None 2021-01-14 10:52:38 UTC
Red Hat Product Errata RHBA-2021:0134 0 None None None 2021-01-14 10:50:06 UTC
Red Hat Product Errata RHBA-2021:0135 0 None None None 2021-01-14 10:51:08 UTC
Red Hat Product Errata RHBA-2021:0139 0 None None None 2021-01-14 11:39:21 UTC
Red Hat Product Errata RHBA-2021:0141 0 None None None 2021-01-14 13:24:48 UTC
Red Hat Product Errata RHBA-2021:0142 0 None None None 2021-01-14 13:25:17 UTC
Red Hat Product Errata RHBA-2021:0192 0 None None None 2021-01-19 17:05:17 UTC
Red Hat Product Errata RHBA-2021:0193 0 None None None 2021-01-19 17:11:59 UTC
Red Hat Product Errata RHSA-2020:5422 0 None None None 2020-12-15 09:06:50 UTC
Red Hat Product Errata RHSA-2020:5476 0 None None None 2020-12-15 16:40:23 UTC
Red Hat Product Errata RHSA-2020:5566 0 None None None 2020-12-16 09:07:33 UTC
Red Hat Product Errata RHSA-2020:5588 0 None None None 2020-12-16 15:14:31 UTC
Red Hat Product Errata RHSA-2020:5623 0 None None None 2020-12-17 16:49:32 UTC
Red Hat Product Errata RHSA-2020:5637 0 None None None 2020-12-21 08:34:27 UTC
Red Hat Product Errata RHSA-2020:5639 0 None None None 2020-12-21 11:59:19 UTC
Red Hat Product Errata RHSA-2020:5640 0 None None None 2020-12-21 12:05:41 UTC
Red Hat Product Errata RHSA-2020:5641 0 None None None 2020-12-21 12:17:27 UTC
Red Hat Product Errata RHSA-2020:5642 0 None None None 2020-12-21 12:33:29 UTC
Red Hat Product Errata RHSA-2021:0056 0 None None None 2021-01-11 10:29:36 UTC
Red Hat Product Errata RHSA-2021:0486 0 None None None 2021-02-11 13:17:44 UTC
Red Hat Product Errata RHSA-2021:0488 0 None None None 2021-02-11 13:30:09 UTC
Red Hat Product Errata RHSA-2021:0489 0 None None None 2021-02-11 13:37:15 UTC
Red Hat Product Errata RHSA-2021:0491 0 None None None 2021-02-11 13:39:57 UTC
Red Hat Product Errata RHSA-2021:0494 0 None None None 2021-02-11 13:50:22 UTC
Red Hat Product Errata RHSA-2021:0495 0 None None None 2021-02-11 13:51:46 UTC

Description Huzaifa S. Sidhpurwala 2020-12-02 02:46:15 UTC
As per upstream advisory:

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:

1. Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate
2. When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)

If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools.

Comment 2 Huzaifa S. Sidhpurwala 2020-12-02 03:35:20 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: David Benjamin (Google)

Comment 13 Huzaifa S. Sidhpurwala 2020-12-08 09:47:12 UTC
Mitigation:

Applications not using the GENERAL_NAME_cmp of openssl are not vulnerable to this flaw. Even when this function is used, if the attacker can control both the arguments of this function, only then the attacker could trigger a crash.

Comment 15 Huzaifa S. Sidhpurwala 2020-12-08 09:53:54 UTC
Statement:

This is a flaw in the GENERAL_NAME_cmp function of openssl which can be triggered when both its arguments are of the same type i.e. EDIPARTYNAME. 

1. Red Hat does not ship any applications compiled with openssl, which used the above function in a vulnerable way.

2. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes, when comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate and when verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example, if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then a crash may be triggered.

Third party applications compiled with openssl using the function GENERAL_NAME_cmp in a vulnerable way are affected by this flaw.

GENERAL_NAME_cmp was added in 0.9.8k, therefore older versions of openssl are not affected by this flaw.

Comment 17 Huzaifa S. Sidhpurwala 2020-12-08 15:57:45 UTC
External References:

https://www.openssl.org/news/secadv/20201208.txt

Comment 18 Huzaifa S. Sidhpurwala 2020-12-08 15:58:47 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1905605]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1905603]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1905604]

Comment 23 errata-xmlrpc 2020-12-15 09:06:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5422 https://access.redhat.com/errata/RHSA-2020:5422

Comment 24 Product Security DevOps Team 2020-12-15 12:47:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1971

Comment 25 errata-xmlrpc 2020-12-15 16:40:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5476 https://access.redhat.com/errata/RHSA-2020:5476

Comment 26 errata-xmlrpc 2020-12-16 09:07:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5566 https://access.redhat.com/errata/RHSA-2020:5566

Comment 27 errata-xmlrpc 2020-12-16 15:13:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5588 https://access.redhat.com/errata/RHSA-2020:5588

Comment 28 errata-xmlrpc 2020-12-17 16:49:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:5623 https://access.redhat.com/errata/RHSA-2020:5623

Comment 29 errata-xmlrpc 2020-12-21 08:34:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:5637 https://access.redhat.com/errata/RHSA-2020:5637

Comment 30 errata-xmlrpc 2020-12-21 11:59:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:5639 https://access.redhat.com/errata/RHSA-2020:5639

Comment 31 errata-xmlrpc 2020-12-21 12:05:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2020:5640 https://access.redhat.com/errata/RHSA-2020:5640

Comment 32 errata-xmlrpc 2020-12-21 12:17:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:5641 https://access.redhat.com/errata/RHSA-2020:5641

Comment 33 errata-xmlrpc 2020-12-21 12:33:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:5642 https://access.redhat.com/errata/RHSA-2020:5642

Comment 38 errata-xmlrpc 2021-01-11 10:30:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:0056 https://access.redhat.com/errata/RHSA-2021:0056

Comment 40 errata-xmlrpc 2021-02-11 13:17:41 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2021:0486 https://access.redhat.com/errata/RHSA-2021:0486

Comment 41 errata-xmlrpc 2021-02-11 13:30:05 UTC
This issue has been addressed in the following products:

  JBCS 2.4.37 SP6

Via RHSA-2021:0488 https://access.redhat.com/errata/RHSA-2021:0488

Comment 42 errata-xmlrpc 2021-02-11 13:37:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2021:0489 https://access.redhat.com/errata/RHSA-2021:0489

Comment 43 errata-xmlrpc 2021-02-11 13:39:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:0491 https://access.redhat.com/errata/RHSA-2021:0491

Comment 44 errata-xmlrpc 2021-02-11 13:50:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.4 on RHEL 7
  Red Hat JBoss Web Server 5.4 on RHEL 8

Via RHSA-2021:0494 https://access.redhat.com/errata/RHSA-2021:0494

Comment 45 errata-xmlrpc 2021-02-11 13:51:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:0495 https://access.redhat.com/errata/RHSA-2021:0495


Note You need to log in before you can comment on or make changes to this bug.