A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve.
The vulnerability stems from a bug in the BN_mod_sqrt() function, which the OpenSSL team said is used to parse certificates that “contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” As it turns out, all you need to do to trigger an infinite loop in BN_mod_sqrt() is hand an OpenSSL-based application or service a certificate with invalid explicit curve parameters.
This parsing happens prior to verification of the certificate’s signature. Slip a bad certificate to any app or server using BN_mod_sqrt() to parse certs, and the software will get caught in the loop and stop working.
There are quite a few situations where this can be abused in the wild, the OpenSSL team said in its security advisory. Possibly exploitable situations include TLS clients consuming server certificates (and vice-versa), hosting providers accepting keys from customers, certificate authorities parsing cert requests from subscribers, or “anything else which parses ASN.1 elliptic curve parameters.”
“The most common scenario where this would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate. TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it,” said Matt Caswell, a developer at the OpenSSL Software Foundation.
Caswell said he isn’t aware of anyone exploiting this high-severity vulnerability in the wild, nor does he believe there’s any way to use this security hole for anything other than a denial-of-service attack. Still, a DoS can lead to services dying for netizens, sparking reports of outages.
This vulnerability affects OpenSSL versions 1.0.2, 1.1.1, and 3.0. Patches 1.1.1n and 3.0.2 addresses these issues, so if you’re using one of those versions be sure to patch now: as a user, update your packages and libraries, and if you’re a developer, make sure your software requires or is built with a fixed version.
There’s a patch for 1.0.2 users as well (1.0.2zd), though it’s reserved for premium support customers only. If you aren’t one of those, you’re still in luck: the exploit is harder to trigger in OpenSSL 1.0.2 because the public key isn’t parsed during the initial certificate processing.
That said, “any operation which requires the public key from the certificate will trigger the infinite loop,” the OpenSSL team writes. In other words, it’s still possible to fall prey, especially when the attacker can trigger the loop during verification of the cert signature by using a self-signed certificate. ®