CERT and Cybersecurity Agencies Disclosed Denial-of-Service (DoS) Vulnerability Affecting OpenSSL

National Security Agency

Computer emergency response teams (CERTs) and other cybersecurity organisations around the world have issued notifications and advisories about OpenSSL’s newly discovered denial-of-service (DoS) vulnerability, and manufacturers have begun to analyse the effects of the bug on their items.

This week the OpenSSL Project reported that OpenSSL 1.1.1i patches a vulnerability of high severity which can be abused for remote DoS attacks. Google’s David Benjamin identified the security hole, monitored as CVE-2020-10713 and defined as a NULL pointer dereference problem, and it affects all 1.1.1 and 1.0.2 models.

The class of the X.509 GeneralName is the default type used to describe various forms of names. EDIPartyName is regarded as one of those name forms. OpenSSL includes a GENERAL NAME cmp feature that compares multiple instances of a GENERAL NAME to see if they are identical or not. When all GENERAL NAMEs contain an EDIPARTYNAME, this feature behaves wrongly. The OpenSSL Project said in its advisory that there could be a NULL pointer dereference and a crash leading to a potential denial of service attack.

Several organisations released advisories and warnings after the patch was made available to warn consumers of the danger posed by the vulnerability.

Administrators and customers have been recommended by the U.S. Cybersecurity and Infrastructure Protection Agency (CISA) to review the OpenSSL recommendations and take steps when required.

Japan’s JPCERT, France’s CERT-FR, India’s National Sensitive Information Infrastructure Protection Center (NCIIPC) and Australia’s AusCERT are included in the list of national cybersecurity agencies that have issued advisories and warnings for CVE-2020-10713. The CERT-EU of the European Union has posted ties to news storeys and advisories covering CVE-2020-10713.

Advisories have also been written on Linux distributions, including Red Hat, Debian, Ubuntu and CloudLinux, a distribution designed for hosting services and data centres.

The Computer emergency response teams at Chinese cybersecurity company Qihoo 360 said in an advisory released on Wednesday that it spotted millions of affected servers, with the largest figures in the United States (1.2 million) and China (1.2 million) (900,000).

On Wednesday, Palo Alto Networks released an advisory to warn consumers that its PAN-OS, GlobalProtect App, or Cortex XSOAR products are not impacted by the OpenSSL vulnerability. “These products do not have the scenarios required for successful exploitation,” the company said.

This week, IBM posted several security bulletins for OpenSSL bugs, but none of them apply to CVE-2020-10713; they fix last year’s fixed OpenSSL flaws.

Advisories may also be provided in the coming days by Cisco, F5 Networks and other big corporations whose products use OpenSSL.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.