ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).
Las cadenas ASN.1 se representan internamente en OpenSSL como una estructura ASN1_STRING que contiene un búfer que contiene los datos de la cadena y un campo que contiene la longitud del búfer. Esto contrasta con las cadenas C normales, que se representan como un búfer para los datos de la cadena que termina con un byte NUL (0). Aunque no es un requisito estricto, las cadenas ASN.1 que se analizan usando las propias funciones "d2i" de OpenSSL (y otras funciones de análisis similares), así como cualquier cadena cuyo valor ha sido ajustado con la función ASN1_STRING_set(), terminarán adicionalmente con NUL la matriz de bytes en la estructura ASN1_STRING. Sin embargo, es posible que las aplicaciones construyan directamente estructuras ASN1_STRING válidas que no terminen en NUL la matriz de bytes, ajustando directamente los campos "data" y "length" en la matriz ASN1_STRING. Esto también puede ocurrir usando la función ASN1_STRING_set0(). Se ha detectado que numerosas funciones de OpenSSL que imprimen datos ASN.1 asumen que la matriz de bytes ASN1_STRING estará terminada en NUL, aunque esto no está garantizado para las cadenas que han sido construidas directamente. Cuando una aplicación pide que se imprima una estructura ASN.1, y cuando esa estructura ASN.1 contiene ASN1_STRINGs que han sido construidos directamente por la aplicación sin terminar en NUL el campo "data", entonces puede ocurrir un desbordamiento del buffer de lectura. Lo mismo puede ocurrir durante el procesamiento de las restricciones de nombre de los certificados (por ejemplo, si un certificado ha sido construido directamente por la aplicación en lugar de cargarlo por medio de las funciones de análisis de OpenSSL, y el certificado contiene estructuras ASN1_STRING sin terminación NUL). También puede ocurrir en las funciones X509_get1_email(), X509_REQ_get1_email() y X509_get1_ocsp(). Si un actor malicioso puede hacer que una aplicación construya directamente un ASN1_STRING y luego lo procese a mediante una de las funciones de OpenSSL afectadas, este problema podría ser alcanzado. Esto podría resultar en un bloqueo (causando un ataque de Denegación de Servicio). También podría resultar en la revelación de contenidos de memoria privada (como claves privadas, o texto plano confidencial). Corregido en OpenSSL versión 1.1.1l (Afectada 1.1.1-1.1.1k). Corregido en OpenSSL versión 1.0.2za (Afectada 1.0.2-1.0.2y).
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
AV:N/AC:M/Au:N/C:P/I:N/A:P
| Access Vector | NETWORK |
|---|---|
| Access Complexity | MEDIUM |
| Authentication | NONE |
| Confidentiality Impact | PARTIAL |
| Integrity Impact | NONE |
| Availability Impact | PARTIAL |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-125
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary |
en
CWE-125
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| openssl | openssl | * | <built-in method update of dict object at 0x72a9a0121600> | Application |
| openssl | openssl | * | <built-in method update of dict object at 0x72a99a344980> | Application |
| debian | debian_linux | 9.0 | <built-in method update of dict object at 0x72a99a345bc0> | Operating System |
| debian | debian_linux | 10.0 | <built-in method update of dict object at 0x72a9a0123780> | Operating System |
| debian | debian_linux | 11.0 | <built-in method update of dict object at 0x72a9a01214c0> | Operating System |
| netapp | clustered_data_ontap | - | <built-in method update of dict object at 0x72a9a01202c0> | Application |
| netapp | clustered_data_ontap_antivirus_connector | - | <built-in method update of dict object at 0x72a99a345240> | Application |
| netapp | e-series_santricity_os_controller | * | <built-in method update of dict object at 0x72a9a0123940> | Application |
| netapp | hci_management_node | - | <built-in method update of dict object at 0x72a9a0120d40> | Application |
| netapp | manageability_software_development_kit | - | <built-in method update of dict object at 0x72a9a0120500> | Application |
| netapp | santricity_smi-s_provider | - | <built-in method update of dict object at 0x72a9a0123e80> | Application |
| netapp | solidfire | - | <built-in method update of dict object at 0x72a99a345100> | Application |
| netapp | storage_encryption | - | <built-in method update of dict object at 0x72a9a0123f40> | Application |
| mcafee | epolicy_orchestrator | * | <built-in method update of dict object at 0x72a9a0122400> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9a0122280> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a99a345f80> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a99a344ac0> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a99a345c00> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9e418a140> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9a0123c80> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9a0123bc0> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a99a3478c0> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a961eca740> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a99a347740> | Application |
| mcafee | epolicy_orchestrator | 5.10.0 | <built-in method update of dict object at 0x72a9a0122700> | Application |
| tenable | nessus_network_monitor | * | <built-in method update of dict object at 0x72a9a0121240> | Application |
| tenable | tenable.sc | * | <built-in method update of dict object at 0x72a9a0123b40> | Application |
| oracle | essbase | * | <built-in method update of dict object at 0x72a9a0122240> | Application |
| oracle | essbase | * | <built-in method update of dict object at 0x72a961ecb640> | Application |
| oracle | essbase | 21.3 | <built-in method update of dict object at 0x72a961ecac80> | Application |
| oracle | mysql_connectors | * | <built-in method update of dict object at 0x72a961eca700> | Application |
| oracle | mysql_enterprise_monitor | * | <built-in method update of dict object at 0x72a961eca080> | Application |
| oracle | mysql_server | * | <built-in method update of dict object at 0x72a961eca280> | Application |
| oracle | mysql_server | * | <built-in method update of dict object at 0x72a961eca840> | Application |
| oracle | mysql_workbench | * | <built-in method update of dict object at 0x72a961eca780> | Application |
| oracle | peoplesoft_enterprise_peopletools | 8.57 | <built-in method update of dict object at 0x72a961ecb880> | Application |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | <built-in method update of dict object at 0x72a961ecba00> | Application |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | <built-in method update of dict object at 0x72a961eca340> | Application |
| oracle | secure_backup | 18.1.0.1.0 | <built-in method update of dict object at 0x72a9ccf491c0> | Application |
| oracle | zfs_storage_appliance_kit | 8.8 | <built-in method update of dict object at 0x72a9ccf4a880> | Application |
| siemens | sinec_infrastructure_network_services | * | <built-in method update of dict object at 0x72a9ccf49e40> | Application |
| oracle | communications_cloud_native_core_console | 1.9.0 | <built-in method update of dict object at 0x72a9ccf48b40> | Application |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 1.7.0 | <built-in method update of dict object at 0x72a9ccf49740> | Application |
| oracle | communications_cloud_native_core_unified_data_repository | 1.15.0 | <built-in method update of dict object at 0x72a9ccf4b900> | Application |
| oracle | communications_session_border_controller | 8.4 | <built-in method update of dict object at 0x72a9ccf4aec0> | Application |
| oracle | communications_session_border_controller | 9.0 | <built-in method update of dict object at 0x72a9ccf49400> | Application |
| oracle | communications_unified_session_manager | 8.2.5 | <built-in method update of dict object at 0x72a9ccf4bcc0> | Application |
| oracle | communications_unified_session_manager | 8.4.5 | <built-in method update of dict object at 0x72a9ccf48300> | Application |
| oracle | enterprise_communications_broker | 3.2.0 | <built-in method update of dict object at 0x72a9ccf49b80> | Application |
| oracle | enterprise_communications_broker | 3.3.0 | <built-in method update of dict object at 0x72a9ccf4ab80> | Application |
| oracle | enterprise_session_border_controller | 8.4 | <built-in method update of dict object at 0x72a9ccf49680> | Application |
| oracle | enterprise_session_border_controller | 9.0 | <built-in method update of dict object at 0x72a9ccf4a300> | Application |
| oracle | health_sciences_inform_publisher | 6.2.1.0 | <built-in method update of dict object at 0x72a9ccf496c0> | Application |
| oracle | health_sciences_inform_publisher | 6.3.1.1 | <built-in method update of dict object at 0x72a9ccf4b6c0> | Application |
| oracle | jd_edwards_enterpriseone_tools | * | <built-in method update of dict object at 0x72a9ccf4a700> | Application |
| oracle | jd_edwards_world_security | a9.4 | <built-in method update of dict object at 0x72a9af7d73c0> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:storage_encryption:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:* |
| Yes | cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:tenable:nessus_network_monitor:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:essbase:21.3:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:secure_backup:18.1.0.1.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:communications_unified_session_manager:8.4.5:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:health_sciences_inform_publisher:6.2.1.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:health_sciences_inform_publisher:6.3.1.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:* |