Bosch CERT Advisory: OpenSSL Multiple Vulnerabilities

Description

Multiple vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

1

An error when validating CA certificates can be exploited to bypass certificate validation checks.

Successful exploitation of the vulnerability #1 requires the X509_V_FLAG_X509_STRICT flag to be enabled (not enabled by default) and an application to either not set a purpose for certificate verification or override the default purpose.

2

A NULL-pointer deference error when handling renegotiation ClientHello messages can be exploited to crash the OpenSSL TLS server.

Successful exploitation of the vulnerability #2 requires an OpenSSL server with TLSv1.2 and renegotiation enabled (enabled by default).

The vulnerabilities are reported in versions prior to 1.1.1k.

Affected Software

The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected.

OpenSSL 1.x

Solution

Update to version 1.1.1k.

References

1. https://www.openssl.org/news/vulnerabilities.html <https://www.openssl.org/news/vulnerabilities.html>
2. https://www.openssl.org/news/secadv/20210325.txt <https://www.openssl.org/news/secadv/20210325.txt>

Please provide a fix as soon as possible.