Fwd: [CIVN-2020-0444] NULL pointer dereference Vulnerability in OpenSSL

1 year ago 68

Software Affected

OpenSSL versions 1.1.1 and 1.0.2

Overview

A NULL pointer dereference vulnerability has been found in Open SSL which

may lead to a possible denial of service(DoS) attack on a server or client

application running OpenSSL.

Description

This vulnerability is due to a NULL pointer de-reference error. A remote

attacker can trigger denial of service conditions via the API functions viz

TS_RESP_verify_response and TS_RESP_verify_token. An attacker could exploit

this vulnerability by controlling both items being compared. For example if

the attacker can trick a client or server into checking a malicious

certificate against a malicious CRL then this may occur. 

Successful exploitation of this vulnerability could allow the attacker to

perform a denial of service (DoS) attack.

Solution

Upgrade to OpenSSL version 1.1.1i 

OpenSSL 1.0.2 and 1.1.0 are out of support and no longer receiving updates.

Users of these versions are recommended to upgrade to OpenSSL 1.1.1i.

Vendor Information

OpenSSL

References

OpenSSL

Security Tracker

CVE Name

CVE-2020-1971

About Cert Advisory

Related Posts

Read Entire Article