OpenSSL, a popular secure communication library is found to have a bug that can put the service into an infinite loop of DoS.
Researchers said the bug is regarding a parsing issue within certain versions of OpenSSL and needs a maliciously crafted certificate for triggering it. Once done, it puts the SSL connection in a loop of me a denial of service. OpenSSL team has released patches for this issue and recommends users apply.
OpenSSL Parsing Bug Causing DoS
Denial of Service (DoS) is something that causes a legitimate service to crash due to malicious acts pushed by threat actors, with an aim of blocking the service even for legitimate users. Though this may not pose a huge cybersecurity risk, it can cost a long-term financial loss and dent the brand’s reputation.
And this is what OpenSSL users may face if they don’t patch a bug spotted recently. Found by Tavis Ormandy, a Google security researcher, the certificate parsing vulnerability in OpenSSL can cause a significant impact to all the businesses using it.
This was a fun one to work on, @davidben__ helped track it down to a bug in the Tonelli-Shanks implementation in OpenSSL. https://t.co/AYvpBLwNvJ
— Tavis Ormandy (@taviso) March 15, 2022
Later noted by the OpenSSL team, the bug was found in BN_mod_sqrt() function, and can be triggered by serving a maliciously crafted certificate to put it in an infinite loop of service denial. Researchers noted that;
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack.”
All OpenSSL versions from 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1n, and 3.0 to 3.0.1 are said to be affected by this bug. And the team has released patches for them in the form of 1.1.1n, 3.0.2, and 1.0.2zd to only premium members of the 1.0.2 version. This is because 1.0.2 has reached EOL, thus OpenSSL suggests they upgrade to a supported version.
Tracked as CVE-2022-0778, the OpenSSL team said they haven’t found any exploitation of this bug in wild yet. But Italy’s national cybersecurity agency, CSIRT said in the other way, which the OpenSSL team denied later on.
