Urgent OpenSSL Security Advisory: High-Severity Address Type Confusion Vuln Fixed

On February 7, 2023, OpenSSL released a security advisory regarding the discovery and security patching of several cybersecurity vulnerabilities. This advisory included a high-severity address type confusion bug that hackers could use in exploits in cybersecurity to read memory contents or enact Denial-of-Service (DoS) attacks in network security.

OpenSSL is a software applications library that contains the open-source implementation of the SSL and TLS protocols and provides secure communications over computer networks. So many Internet servers utilize OpenSSL in some shape or form, so users must know of all the data and network security issues they could face. This article will discuss all the details you need regarding the latest network security news about this vulnerability and how to mitigate it. 

The Discovery & The Impact

The most notable network security threat plaguing OpenSSl systems is a high-severity type confusion vulnerability related to X.400 address processing within X.509 GeneralName (CVE-2023-0286). bX.400 addresses received the label ASN1_STRING following analysis. Still, the public structure definition for GENERAL_NAME incorrectly specified the type of x400 Address field as ASN1_TYPE. The OpenSSL function GENERAL_NAME_cmp interprets the coding as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled, these network security issues may allow attackers to pass arbitrary pointers to a memcmp call, enabling threat actors to read memory contents or carry out a Denial of Service attack. Fortunately, this vulnerability does not impact an entire system; however, applications implementing CRLs into their network functionality are most susceptible to this risk.

What Should I Do to Secure My Systems Against This Bug?

Here are the outdated, at-risk systems that clients utilize. If you use one of these servers, we have personalized recommendations for you about how to reduce or remove risk from your cybersecurity platforms:

• OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
• OpenSSL 1.1.1 clients must download OpenSSL 1.1.1t.
• OpenSSL 1.0.2 organizations must employ OpenSSL 1.0.2zg, which is premium customer support only.

What Other Issues Did We Find on OpenSSL?

Here are a few other cybersecurity vulnerabilities and flaws we discovered in OpenSSL this past week, on top of the address type confusion issue:

• A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack (CVE-2022-4304). OpenSSL 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only).
• A read buffer overrun can result from X.509 certificate verification, specifically in name constraint checking (CVE-2022-4203). This flaw might result in a denial of service attack, and, in theory, it could also result in the disclosure of private memory contents. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
• A use-after-free following BIO_new_NDEF (CVE-2023-0215) could result in a crash. OpenSSL 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only).
• Double free after calling PEM_read_bio_ex (CVE-2022-4450) could lead to a crash. OpenSSL 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 is not affected by this issue.
• An invalid pointer dereference in the d2i_PKCS7 functions (CVE-2023-0216) could lead to a denial of service attack. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
• An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function (CVE-2023-0217). Such operations will most likely lead to a crash. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
• A NULL dereference during PKCS7 data verification (CVE-2023-0401) could lead to a crash. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
• OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Final Thoughts on the February 7th OpenSSL Advisory

Open-source software and applications are not immune to facing detrimental cybersecurity vulnerabilities. OpenSSL cybersecurity platforms are no different, and we can acknowledge how many network security issues are present on OpenSSL as of just this past week. Fortunately, there are ways to stay up-to-date on the latest security advisories so you can employ security patching before attacks in network security threaten your server. Your Linux distribution offers a security newsletter to look at and prepare for threats. Consider subscribing to the Linux Advisory Watch security newsletter to get generalized updates and customize your LinuxSecurity advisories to see advisories specific to your distributions. Be sure to upgrade OpenSSL frequently to avoid network security issues that could lead to significant downtime, data loss, and reputational harm.