CVE-2023-0286 X.400 address type confusion in X.509 GeneralName

2023-02-0819:01:50

openssl

www.cve.org

cve-2023-0286

x.400 address

x.509 generalname

type confusion

vulnerability

crl checking

openssl function

memory read

denial of service

certificate chain

crl

network retrieval

7.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.5%

JSON

There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OpenSSL",
    "vendor": "OpenSSL",
    "versions": [
      {
        "lessThan": "3.0.8",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "1.1.1t",
        "status": "affected",
        "version": "1.1.1",
        "versionType": "custom"
      },
      {
        "lessThan": "1.0.2zg",
        "status": "affected",
        "version": "1.0.2",
        "versionType": "custom"
      }
    ]
  }
]