How to exploit OpenSSL to do DOS attack: CVE-2020-1967

IT security services specialists mention that OpenSSL Project developers have released an OpenSSL security update to fix a severe vulnerability; tracked as CVE-2020-1967, exploiting this vulnerability would allow malicious activities such as denial of service (DDoS) to be deployed. This is the first vulnerability corrected by OpenSSL in 2020.

The developer report mentions that this vulnerability is a segmentation error in the SSL_check_chain function: “Server or client applications that call the function SSL_check_chain during or after a TLS 1.3 handshake may crash due to NULL pointer dereference as a result of incorrect handling of the TLS extension” , mentions OpenSSL Project.

According to the IT security services specialists this system collapse occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a threat actor in a denial of service (DDoS) attack. The vulnerability is present in OpenSSL versions 1.1.1d, 1.1.1e, and 1.1.1f. This vulnerability was fixed with the release of version 1.1.1g.

It should be noted that previous versions (1.0.2 and 1.1.0) do not appear to be affected by the vulnerability, so administrators of these versions do not need to install updates.

The IT security services experts discovered the vulnerability on April 7. For the finding, the researchers used the new static analysis pass implemented in the GNU Compiler Collection (GCC) static code analyzer. Additional analysis results will be revealed as soon as possible.

The OpenSSL security alert concludes by mentioning: “This inconvenience is not present in version 1.0.2, however, these versions are not supported and have stopped receiving support; an extension in support is available to Premium customers.” In addition, the issue does not affect OpenSSL 1.1.0; however, these versions are not supported and no longer receive updates. Users of these versions should upgrade to OpenSSL 1.1.1.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the official website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.