CVE-2023-0286

Description

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

How to fix CVE-2023-0286

To remediate CVE-2023-0286, upgrade the affected package to a fixed version below.

• —upgrade to 1.1.1t-r0 or later
• —upgrade to 3.0.8-r0 or later
• —upgrade to 111.25.0 or later
• —upgrade to 111.25.0 or later
• —upgrade to 1.1.1n-0+deb11u4 or later
• —upgrade to 39.0.1 or later

Is CVE-2023-0286 being exploited?

Likely — EPSS is 88.3%, placing CVE-2023-0286 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (6)

• from 0, < 1.1.1t-r0
• from 0, < 3.0.8-r0
• from 0, < 111.25.0
• >= 0.0.0-0, < 111.25.0, >= 300.0.0, < 300.0.12
• from 0, < 1.1.1n-0+deb11u4
• >= 0.8.1, < 39.0.1

CVSS scores

References (16)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-0286
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-0286
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-0286
• PATCHcrates.io/crates/openssl-src
• PATCHgithub.com