On March 26, 2021, NSFOCUS detected that OpenSSL issued a security advisory fixing a denial-of-service vulnerability and a certificate check bypass vulnerability (CVE-2021-3449/CVE-2021-3450) in OpenSSL products. Currently, the proof of concept (PoC) of this vulnerability has been made publicly available. Relevant users are advised to take protective measures as soon as possible.
CVE-2021-3449: A NULL pointer dereference exists in renegotiation enabled by OpenSSL TLSv1.2 by default. By sending a maliciously crafted renegotiation ClientHello message from a client, attackers could crash the server, resulting in a denial of service.
CVE-2021-3450: On an OpenSSL server that enables X509_V_FLAG_X509_STRICT, an error exists in the verification logic in the X.509 certificate chain. As a result, an affected application accepts valid certificates signed by non-CA certificates or the certificate chain, which allows attackers to conduct man-in-the-middle (MiTM) attacks and obtain sensitive information.
OpenSSL is an open-source software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in Internet web servers.
Scope of Impact
Affected Versions: OpenSSL 1.1.1-1.1.1j
Affected Versions: OpenSSL 1.1.1h-1.1.1j
Check for the Vulnerability
You can check whether your software is affected by the OpenSSL denial-of-service vulnerability (CVE-2021-3449) via the following method:
openssl s_client -tls1_2 -connect your_domain:443
[Press the R key]
Check the content below RENEGOTIATING. If the keyword “verify” is included, the software may be vulnerable. If write:errno=0 appears, the software will not be affected by this vulnerability.
Currently, the preceding vulnerabilities have been fixed in the latest version. If you are affected by these vulnerabilities, please upgrade your installation as soon as possible via https://www.openssl.org/source/
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.