=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN204

_____________________________________________________________________

DATE                : 01/06/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenSSL versions prior to 3.0.9,
                              3.1.1, 1.1.1u, 1.0.2zh.

=====================================================================
https://www.openssl.org/news/secadv/20230530.txt
_____________________________________________________________________

OpenSSL Security Advisory [30th May 2023]
=========================================

Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
=================================================================

Severity: Moderate

Issue summary: Processing some specially crafted ASN.1 object
identifiers or data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use
any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or
TS with no message size limit may experience notable to very long
delays when processing those messages, which may lead to a Denial
of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - 
sub-identifiers - most of which have no size limit.  OBJ_obj2txt() may
be used to translate an ASN.1 OBJECT IDENTIFIER given in DER
encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical
numeric text form, which are the sub-identifiers of the OBJECT
IDENTIFIER in decimal form, separated by periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very
large (these are sizes that are seen as absurdly large, taking up
tens or hundreds of KiBs), the translation to a decimal number in
text may take a very long time.  The time complexity is O(n^2)
with 'n' being the size of the sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using
names / identifiers in string form was introduced.  This includes
using OBJECT IDENTIFIERs in canonical numeric text form as
identifiers for fetching algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1
structure AlgorithmIdentifier, which is commonly used in
multiple protocols to specify what cryptographic algorithm
should be used to sign or verify, encrypt or decrypt, or digest
passed data.

Applications that call OBJ_obj2txt() directly with untrusted
data are affected, with any version of OpenSSL.  If the use is
for the mere purpose of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS.  It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL
have a 100KiB limit on the peer's certificate chain.  Additionally,
this only impacts clients, or servers that have explicitly
enabled client authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse
objects, such as X.509 certificates.  This is assumed to not happen
in such a way that it would cause a Denial of Service, so these
versions are considered not affected by this issue in such a way
that it would be cause for concern, and the severity is therefore
considered low.

No version of the FIPS provider is affected by this issue.

OpenSSL 3.0.x and 3.1.x are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when
calling OBJ_obj2txt() directly.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium
support customers only).

OSSfuzz first detected and automatically reported this issue on
16th January 2020. At that time OpenSSL 3.0 was still in early
development and it was not identified as a security concern at
that time. On 23rd April 2023 the issue was reexamined and
identified as a security issue by Matt Caswell.
The fix was developed by Richard Levitte.

(*) A measurement showed about 2 seconds for 100KiB and a minute
for 500KiB.
This measurement wasn't made to demonstrate exact time ranges,
but rather to demonstrate the quadratic nature of the issue.

General Advisory Notes
======================

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230530.txt

Note: the online version of the advisory may be updated with
additional details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/general/security-policy.html

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that
date security fixes for 1.1.1 will only be available to premium
support customers.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================