Lucene search

K
cve[email protected]CVE-2020-1971
HistoryDec 08, 2020 - 4:15 p.m.

CVE-2020-1971

2020-12-0816:15:11
CWE-476
web.nvd.nist.gov
721
39
cve-2020-1971
openssl
x.509
generalname
edipartyname
denial of service
security vulnerability
null pointer dereference
nvd
crl distribution point
timestamp response token signer
crl downloading

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

5.5 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.4%

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL’s s_server, s_client and verify tools have support for the “-crl_download” option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL’s parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

Affected configurations

NVD
Node
opensslopensslRange1.0.21.0.2x
OR
opensslopensslRange1.1.11.1.1i
Node
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch10.0
Node
fedoraprojectfedoraMatch32
OR
fedoraprojectfedoraMatch33
Node
oracleapi_gatewayMatch11.1.2.4.0
OR
oraclebusiness_intelligenceMatch5.5.0.0.0enterprise
OR
oraclebusiness_intelligenceMatch5.9.0.0.0enterprise
OR
oraclebusiness_intelligenceMatch12.2.1.3.0enterprise
OR
oraclebusiness_intelligenceMatch12.2.1.4.0enterprise
OR
oraclecommunications_cloud_native_core_network_function_cloud_native_environmentMatch1.10.0
OR
oraclecommunications_diameter_intelligence_hubRange8.0.08.1.0
OR
oraclecommunications_diameter_intelligence_hubRange8.2.08.2.3
OR
oraclecommunications_session_border_controllerMatchcz8.2
OR
oraclecommunications_session_border_controllerMatchcz8.3
OR
oraclecommunications_session_border_controllerMatchcz8.4
OR
oraclecommunications_session_routerMatchcz8.2
OR
oraclecommunications_session_routerMatchcz8.3
OR
oraclecommunications_session_routerMatchcz8.4
OR
oraclecommunications_subscriber-aware_load_balancerMatchcz8.2
OR
oraclecommunications_subscriber-aware_load_balancerMatchcz8.3
OR
oraclecommunications_subscriber-aware_load_balancerMatchcz8.4
OR
oraclecommunications_unified_session_managerMatchscz8.2.5
OR
oracleenterprise_communications_brokerMatchpcz3.1
OR
oracleenterprise_communications_brokerMatchpcz3.2
OR
oracleenterprise_communications_brokerMatchpcz3.3
OR
oracleenterprise_manager_base_platformMatch13.3.0.0
OR
oracleenterprise_manager_base_platformMatch13.4.0.0
OR
oracleenterprise_manager_for_storage_managementMatch13.4.0.0
OR
oracleenterprise_manager_ops_centerMatch12.4.0.0
OR
oracleenterprise_session_border_controllerMatchcz8.2
OR
oracleenterprise_session_border_controllerMatchcz8.3
OR
oracleenterprise_session_border_controllerMatchcz8.4
OR
oracleessbaseMatch21.2
OR
oraclegraalvmMatch19.3.4enterprise
OR
oraclegraalvmMatch20.3.0enterprise
OR
oraclehttp_serverMatch12.2.1.4.0
OR
oraclejd_edwards_enterpriseone_toolsRange<9.2.5.3
OR
oraclejd_edwards_world_securityMatcha9.4
OR
oraclemysqlRange8.0.22
OR
oraclemysql_serverRange5.7.32
OR
oraclemysql_serverRange8.0.158.0.22
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.56
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.57
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.58
Node
netappactive_iq_unified_managerMatch-vmware_vsphere
OR
netappactive_iq_unified_managerMatch-windows
OR
netappclustered_data_ontap_antivirus_connectorMatch-
OR
netappdata_ontapMatch-7-mode
OR
netappe-series_santricity_os_controllerRange11.0.011.60.3
OR
netapphci_management_nodeMatch-
OR
netappmanageability_software_development_kitMatch-
OR
netapponcommand_insightMatch-
OR
netapponcommand_workflow_automationMatch-
OR
netappplug-in_for_symantec_netbackupMatch-
OR
netappsantricity_smi-s_providerMatch-
OR
netappsnapcenterMatch-
OR
netappsolidfireMatch-
OR
netapphci_compute_nodeMatch-
OR
netapphci_storage_nodeMatch-
Node
netappef600a_firmwareMatch-
AND
netappef600aMatch-
Node
netappaff_a250_firmwareMatch-
AND
netappaff_a250Match-
Node
tenablelog_correlation_engineRange<6.0.9
OR
tenablenessus_network_monitorRange<5.13.1
Node
siemenssinec_infrastructure_network_servicesRange<1.0.1.1
Node
nodejsnode.jsRange10.0.010.12.0-
OR
nodejsnode.jsRange10.13.010.23.1lts
OR
nodejsnode.jsRange12.0.012.12.0-
OR
nodejsnode.jsRange12.13.012.20.1lts
OR
nodejsnode.jsRange14.0.014.14.0-
OR
nodejsnode.jsRange14.15.014.15.4lts
OR
nodejsnode.jsRange15.0.015.5.0-

CNA Affected

[
  {
    "product": "OpenSSL",
    "vendor": "OpenSSL",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h)"
      },
      {
        "status": "affected",
        "version": "Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w)"
      }
    ]
  }
]

References

Social References

More

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

5.5 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.4%