Security advisory reports on August 24th, 2021 indicated that two security vulnerabilities were plaguing OpenSSL itself, one of which was marked as high-severity.
What is OpenSSL?
OpenSSL is a ‘library’ that is instrumental to the functioning of internet servers. More importantly, it is used by the majority of HTTPS-enabled web pages. According to the official web page of OpenSSL, “OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.” OpenSSL is a collaborative project, that utilizes an open-source toolkit that implements Secure Sockets Layer (SSL v2/v3) as well as Transport Layer Security (TLSv1) along with cryptography libraries. As of right now, there are dozens of millions of web pages that are OpenSSL customers. With SSL certificates and encryption needs being in high demand at the moment, the requirement for SSL implementation is only going to grow. Furthermore, due to internet security standards, web pages without proper SSL implementation will be marked as ‘unsafe’ by major web browsers. OpenSSL is a popular option among the cryptography library tools/utilities that all web pages need to have to fulfill modern cybersecurity criteria.
Overview of The Open SSL Vulnerability
On August 24th, 2021 a security advisory report was released pertaining to OpenSSL. The release report details two software vulnerabilities within OpenSSL, one of which is marked as high-severity. The vulnerabilities can amount to a remote attacker acquiring full control of a vulnerable system, thus completely compromising it. The issues were reported to OpenSSL on the 12th of August, 2021 by John Ouyang.
In-Depth Technical Details
The ID code for this vulnerability, according to the general CVE (Common Vulnerabilities and Exposures) database, is CVE-2021-3711. Technically speaking, it is a buffer overflow vulnerability that may allow a remote attacker to execute arbitrary code on a target system. The vulnerability exists due to a boundary error in the EVP_PKEY_decrypt() function within the implementation of the SM2 decryption. A remote attacker can send specially crafted SM2 content for decryption to trigger a buffer overflow by 62 bytes and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system.
Vulnerable OpenSSL Software Versions
OpenSSL versions 1.1.1k and below are vulnerable to this issue. The full list of vulnerable software versions of OpenSSL are as follows;
1.1.1 1.1.1a 1.1.1b 1.1.1c 1.1.1d 1.1.1e 1.1.1f 1.1.1g 1.1.1h 1.1.1i 1.1.1j 1.1.1k
Notes: OpenSSL 3.0 alpha/beta were also affected by this issue, but will be fixed before the final release. OpenSSL version 1.0.2 is not vulnerable to this issue.
Important User Information
A patch exists that mitigates the above vulnerability, which was developed by Matt Caswell. According to the OpenSSL security advisory information, all OpenSSL customers/users should immediately upgrade to OpenSSL 1.1.1l (version L.) Users can download the latest version of OpenSSL on this page, as well as refer to any other additional information.