X.400 address type confusion in X.509 GeneralName
CVE-2023-0286

7.4HIGH

Key Information:

Vendor
OpenSSL
Status
OpenSSL
Vendor
CVE Published:
8 February 2023

Summary

A type confusion vulnerability has been identified in OpenSSL that affects how X.400 addresses are processed within an X.509 GeneralName. This issue arises due to an incorrect specification of the x400Address field type, leading to improper interpretation by the function GENERAL_NAME_cmp. When Certificate Revocation List (CRL) checking is enabled, this vulnerability allows potential attackers to manipulate memory access, which could lead to unauthorized reading of memory contents or result in a denial of service. The exploitation of this vulnerability typically requires the attacker to control both the certificate chain and CRL, although in some situations, they may only need to control one of these inputs if the other contains an X.400 address as a CRL distribution point. Thus, applications utilizing individual CRL retrieval processes are particularly susceptible to this flaw.

Affected Version(s)

OpenSSL 3.0.0 < 3.0.8

OpenSSL 1.1.1 < 1.1.1t

OpenSSL 1.0.2 < 1.0.2zg

References

https://www.openssl.org/news/secadv/20230207.txt
vendor-advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

David Benjamin (Google)
Hugo Landau
.