The maintainers of OpenSSL have released a fix for a high-severity vulnerability that stems from the way the software checks the validity of the certificates in a given certificate chain. In certain configurations, an attacker could bypass the checks and insert a certificate that was not issued by a valid CA.
The vulnerability affects versions 1.1.1h and newer of OpenSSL and is fixed in version 1.1.1k, which was released Thursday. The bug is a result of a specific check introduced in 1.1.1h that is designed to ensure that certificates with explicitly encoded elliptic curve parameters are not included in the certificate chain.
“An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates,” the advisory says.
“If a ‘purpose’ has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named ‘purpose’ values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.”
The vulnerability is not exploitable in all situations, and an app has to have the X509_V_FLAG_X509_STRICT set for the flaw to be present.
“In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose,” the advisory says.
Also fixed in the new OpenSSL release is a potential denial-of-service vulnerability that can occur when a client sends a malicious renegotiation message to a server.
“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” the advisory says.
“A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).”