Bug 1823670 (CVE-2020-1967) - CVE-2020-1967 openssl: Segmentation fault in SSL_check_chain causes denial of service
Summary: CVE-2020-1967 openssl: Segmentation fault in SSL_check_chain causes denial of...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-1967
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1826338
Blocks: 1823663
TreeView+ depends on / blocked
 
Reported: 2020-04-14 08:23 UTC by Huzaifa S. Sidhpurwala
Modified: 2020-09-11 03:08 UTC (History)
61 users (show)

Fixed In Version: openssl 1.1.1g
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the way OpenSSL handled certain TLS handshake messages. This flaw allows an unauthenticated attacker to cause a server application compiled with OpenSSL to crash, causing a denial of service. In some cases a malicious server could also cause a client compiled with OpenSSL to crash.
Clone Of:
Environment:
Last Closed: 2020-04-21 13:40:14 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2020-04-14 08:23:44 UTC
As per upstream advisory:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

Comment 3 Huzaifa S. Sidhpurwala 2020-04-14 09:05:32 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: Bernd Edlinger

Comment 4 Huzaifa S. Sidhpurwala 2020-04-14 09:12:29 UTC
It seems like this flaw was caused by the commit https://github.com/openssl/openssl/commit/5235ef44b93306a14d0b6c695b13c64b16e1fdec which is a part of openssl-1.1.1d, older versions of openssl are therefore not affected by this flaw.

Comment 5 Huzaifa S. Sidhpurwala 2020-04-14 09:51:14 UTC
The OpenSSL peer loops through the through the list of "signature_algorithms_cert" received from the client and attempts to lookup each one in the internal table. When the peer sends a value which is not in the list, the lookup returns NULL, but we unconditionally dereference the lookup result for the comparison, leading to an application crash triggerable by an unauthenticated client.

Since we will not be able to say anything about algorithms we don't recognize, the patch treats NULL return from lookup as "does not match".

Only TLS 1.3 is affected in the code, since only "signature_algorithm_cert" is supported for TLS 1.3

Comment 10 Ted (Jong Seok) Won 2020-04-15 05:58:26 UTC
Statement:

This flaw was introduced by the following OpenSSL commit:
https://github.com/openssl/openssl/commit/5235ef44b93306a14d0b6c695b13c64b16e1fdec
which was shipped as a part of OpenSSL-1.1.1d, therefore older versions are not affected by this flaw. 
OpenSSL packages shipped with Red Hat Products are NOT affected by this flaw.

The affected  `signature_algorithm_cert`  check which causes the flaw is only applied to TLS 1.3, therefore older versions of TLS are not be affected by this flaw.

Also, the vulnerable `SSL_check_chain()` is not called directly from libssl, but may be used by the application inside a callback (e.g., client_hello or cert callback) to verify that a candidate certificate chain will be acceptable to the client. Thus, applications that use openssl without invoking the `SSL_check_chain()` function are not vulnerable to this flaw.

Lastly, no Red Hat Middleware products ship the affected version of OpenSSL. However, some components, such as Netty and Wildfly, may be configured by customers to use any OpenSSL version. Customers who have configured their setups to use a vulnerable version of OpenSSL are advised to upgrade to the latest unaffected version immediately.

Comment 11 Huzaifa S. Sidhpurwala 2020-04-17 07:25:25 UTC
Mitigation:

Applications compiled with OpenSSL >= 1.1.1d that either use openssl without invoking the `SSL_check_chain()` function or do not use TLS 1.3 are not vulnerable to this flaw.

Comment 12 Mark Cooper 2020-04-21 00:22:42 UTC
OpenShift ServiceMesh is not vulnerable to this flaw. 

The component servicemesh-proxy, dynamically links to the RHEL version (RHEL 8.1, openssl-libs 1.1.1c) and does not invoke the vulnerable function, SSL_check_chain().

Comment 13 Huzaifa S. Sidhpurwala 2020-04-21 13:15:01 UTC
External References:

https://www.openssl.org/news/secadv/20200421.txt


Note You need to log in before you can comment on or make changes to this bug.