Buffer overflow and out of bounds read vulnerabilities in OpenSSL

Cybersecurity specialists report the detection of two severe vulnerabilities in OpenSSL. According to the report, the successful exploitation of these flaws would allow the execution of attacks that could completely compromise the target system.

Below are brief descriptions of the reported failures in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-3711: A boundary error in EVP_PKEY_decrypt() function within implementation of the SM2 decryption would allow remote threat actors to send specially crafted SM2 content and trigger a buffer overflow by 62 bytes, resulting in an arbitrary code execution scenario.

The vulnerability received a CVSS score of 8.5 / 10, which is why it is considered a high severity bug.

CVE-2021-3712: A boundary condition when processing ASN.1 strings allows remote attackers to pass specially crafted data to the application, thus triggering an out-of-bounds read flaw.

This flaw received a 5.7/10 CVSS score and its successful exploitation allows performing denial of service (DoS) attacks.

According to the report, these flaws reside in the following OpenSSL versions: 1.0.2, 1.0.2a, 1.0.2b, 1.0.2c, 1.0.2d, 1.0.2e, 1.0.2f, 1.0.2g, 1.0.2h, 1.0.2i, 1.0.2j, 1.0.2k, 1.0.2l, 1.0.2m, 1.0.2n, 1.0.2o, 1.0.2p, 1.0.2q, 1.0.2r, 1.0.2s, 1.0.2t, 1.0.2u, 1.0.2v, 1.0.2w, 1.0.2x, 1.0.2y, 1.1.1, 1.1.1a, 1.1.1b, 1.1.1c, 1.1.1d, 1.1.1e, 1.1.1f, 1.1.1g, 1.1.1h, 1.1.1i, 1.1.1j & 1.1.1k.

Although flaws can be exploited by unauthenticated remote threat actors, cybersecurity experts have detected no active exploit attempts so far. Still, users of affected OpenSSL implementations are advised to update as soon as possible; security patches are now available on official platforms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.