OpenSSL Flaws Discovered and Fixed Last Week Affect a Large Number of Products

• OpenSSL has fixed two out-of-bounds vulnerabilities that affect a large number of products that use the library.
• Among them is QNAP which makes widely used Network-Attached storage (NAS) appliances.
• The impact is so far-reaching that most vendors still investigate to determine which products are affected.

QNAP is working on formulating a complete list of products affected by two flaws in OpenSSL that the open-source cryptographic library fixed on August 24, 2021. As it seems, the impact will be significant to the company’s network-attached storage appliances (NAS), so the fixing patches should hit customers soon. Multiple other companies and projects that rely upon the OpenSSL library have already released security bulletins, so this is a widely affecting problem.

The flaws are the following:

• CVE-2021-3711 – OpenSSL SM2 decryption buffer overflow
• CVE-2021-3712 – Read buffer overruns processing ASN.1 strings

The severity of the first flaw is categorized as “High,” while the second one drops to “Moderate.” In the first case, an attacker could create a data pack to be decrypted in the app, using a malicious part after the buffer, resulting in a change of the app behavior and even leading to crashes. In the second vulnerability, a malicious actor could case the direct construction of an ASN1_STRING in the app, followed by a processing step through one of the affected OpenSSL functions, leading to a crash through denial of service.

The OpenSSL versions that are affected by these two bugs are 1.1.1k and below. Those using these versions should upgrade to 1.1.1l or later. OpenSSL 3.0 alpha/beta is also affected, but this is not officially out yet as it’s in the stage of development. The older OpenSSL 1.0.2 isn’t impacted, but this is no longer supported, so downgrading to it isn’t advised anyway. Impact on OpenSSL 1.1.0 hasn’t been confirmed, but that version should be considered risky to use too.

Another company that has responded to these problems already is NetApp, which hasn’t compiled a full list of affected products yet either but is working on it. Synology has also released an advisory to inform its customers that a fixing patch is being developed for eight products. Linux distributions like Ubuntu, Red Hat, and Debian, have also acknowledged the flaws and have urged all software packagers who use OpenSSL as a dependency to upgrade to a new version.