Critical OpenSSL vulnerability allows easy DoS attack

OpenSSL developers have just announced that the latest version, OpenSSL 1.1.1i, contains a number of patches to fix a critical vulnerability that could be exploited to deploy denial of service (DoS) attacks remotely.

This vulnerability, tracked as CVE-2020-10713, is a critical NULL pointer dereference issue and was reported by David Benjamin from Google’s security team. The flaw is present in all versions 1.1.1 and 1.0.2.

In their report, OpenSSL security teams mention: “X.509 GeneralName is a generic type for representing different types of names. One of those types of names is known as EDIPartyName. OpenSSL provides a GENERAL_NAME_cmp function that compares different instances of GENERAL_NAME to see if they are equal or not. The function behaves unexpectedly when both GENERAL_NAME an EDIPARTYNAME. This could lead to NULL pointer dereference and eventual denial of service.”

Once developers reported the patch, multiple organizations issued security alerts to notify their users of the potential risk associated with the exploitation. In a recent notice, the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators and users to verify which version of OpenSSL their organizations are running, in order to prevent any potential risk.

Linux distributions, including Red Hat, Debian, Ubuntu, and CloudLinux have also issued security notices. Chinese security firm Quihoo 360 claims to have detected millions of vulnerable servers, mainly in the U.S.

Finally, Palo Alto Networks researchers issued a notice last Wednesday to inform their customers that this OpenSSL flaw does not affect their PAN-OS, GlobalProtect App or Cortex XSOAR products: “The conditions for exploiting this vulnerability do not exist in these products,” the company says. More industry organizations could issue their own releases in the coming days.