Cybersecurity specialists report the detection of two severe vulnerabilities in OpenSSL. According to the report, the successful exploitation of these flaws would allow the execution of attacks that could completely compromise the target system.
Below are brief descriptions of the reported failures in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-3711: A boundary error in EVP_PKEY_decrypt() function within implementation of the SM2 decryption would allow remote threat actors to send specially crafted SM2 content and trigger a buffer overflow by 62 bytes, resulting in an arbitrary code execution scenario.
The vulnerability received a CVSS score of 8.5 / 10, which is why it is considered a high severity bug.
CVE-2021-3712: A boundary condition when processing ASN.1 strings allows remote attackers to pass specially crafted data to the application, thus triggering an out-of-bounds read flaw.
This flaw received a 5.7/10 CVSS score and its successful exploitation allows performing denial of service (DoS) attacks.
According to the report, these flaws reside in the following OpenSSL versions: 1.0.2, 1.0.2a, 1.0.2b, 1.0.2c, 1.0.2d, 1.0.2e, 1.0.2f, 1.0.2g, 1.0.2h, 1.0.2i, 1.0.2j, 1.0.2k, 1.0.2l, 1.0.2m, 1.0.2n, 1.0.2o, 1.0.2p, 1.0.2q, 1.0.2r, 1.0.2s, 1.0.2t, 1.0.2u, 1.0.2v, 1.0.2w, 1.0.2x, 1.0.2y, 1.1.1, 1.1.1a, 1.1.1b, 1.1.1c, 1.1.1d, 1.1.1e, 1.1.1f, 1.1.1g, 1.1.1h, 1.1.1i, 1.1.1j & 1.1.1k.
Although flaws can be exploited by unauthenticated remote threat actors, cybersecurity experts have detected no active exploit attempts so far. Still, users of affected OpenSSL implementations are advised to update as soon as possible; security patches are now available on official platforms.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.