CVE-2020-1967: OpenSSL Denial-Of-Service Vulnerability Alert

Recently, openssl officially released a risk notice for TLS 1.3 component denial of service vulnerability, the vulnerability number is CVE-2020-1967, and the vulnerability level is high-risk.

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites. TLS (Transport Layer Security) is a security protocol whose purpose is to provide security and data integrity guarantee for Internet communications. This protocol is widely supported in applications such as browsers, e-mail, instant messaging, VoIP, and Internet fax. This agreement has now become the industry standard for secure communications on the Internet.

OpenSSL 1.1.1

There is a denial of service vulnerability in openssl. The attacker can send a specially-made request packet to cause the target host service to crash or denial of service.

Vulnerability details

“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory published by the OpenSSL Project.

“The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.”

Affected version

  • openssl:1.1.1d
  • openssl:1.1.1e
  • openssl:1.1.1f

Solution

Upgrade to version 1.1.1g