OpenSSL Just Fixed Two High-Severity Easy-to-Find Flaws

• OpenSSL has pushed two fixes for an equal number of recently discovered highly critical bugs.
• The vulnerabilities aren’t affecting every configuration, but one of them is present on the default setting.
• Everyone is advised to update to 1.1.1k or later unless you’re still using OpenSSL 1.0.2, which isn’t impacted.

OpenSSL has released a security advisory to inform the public about fixing CVE-2021-3450 and CVE-2021-3449. The first is a high-severity CA certificate check bypass that can occur in configurations that use the X509_V_FLAG_X509_STRICT flag. The second could enable a malicious actor to craft and use a special renegotiation ClientHello message from a client, leading to a crash and denial of service.

CVE-2021-3449 looks like it could have been found easily if anyone figured out how to fuzz renegotiation, but renegotiation is sadness.

Anyway, sounds like you can crash most OpenSSL servers on the Internet today.

— Filippo Valsorda @filippo.abyssdomain.expert (@FiloSottile) March 25, 2021

According to the details given in the advisory, the versions that are affected by the two flaws are OpenSSL 1.1.1, so everyone is advised to upgrade to 1.1.1k or later. The issues do not impact OpenSSL 1.0.2. OpenSSL 1.1.0 could also be impacted, but it has not been analyzed as it’s not actively supported anymore.

In order to be affected by CVE-2021-3450, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. Thus, not using that special configuration could be a mitigation if updating to a patched version is impossible for any reason.

The renegotiating request looks more troublesome on paper, and it could threaten to take down a mind-boggling number of internet websites through DoS attacks. The particular flaw was found and fixed by Nokia’s researchers Peter Kästle and Samuel Sapalski on March 17, 2021. The prerequisite for vulnerability is to have TLSv1.2 with renegotiation enabled, and this looks bad precisely because this is the default configuration.

OpenSSL is a free (Apache License) software library used by internet servers for HTTPS websites, providing basic cryptographic functions and versatile open-source implementation of the SSL (now deprecated) and TLS secured communications protocols. As such, every vulnerability found in OpenSSL has the potential to affect significant portions of the internet, exactly like we saw with the “Heartbleed” example all the way back in 2014.

The upside in the most recent case is that it looks like the OpenSSL team had pushed the fixes for the two highly critical flaws before any malicious actors had the chance to exploit them, at least in alarming scales.