Invalid certificate policies in leaf certificates are silently ignored
CVE-2023-0465

5.3MEDIUM

Key Information:

Vendor
OpenSSL
Status
OpenSSL
Vendor
CVE Published:
28 March 2023

Summary

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Affected Version(s)

OpenSSL 3.1.0 < 3.1.1

OpenSSL 3.0.0 < 3.0.9

OpenSSL 1.1.1 < 1.1.1u

References

https://www.openssl.org/news/secadv/20230328.txt
vendor-advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

David Benjamin (Google)
Matt Caswell
.