Computer emergency response teams (CERTs) and other cybersecurity agencies around the world have released alerts and advisories for a recently disclosed denial-of-service (DoS) vulnerability affecting OpenSSL, and vendors have started assessing the impact of the flaw on their products.
The OpenSSL Project announced this week that OpenSSL 1.1.1i fixes a high-severity vulnerability that can be exploited for remote DoS attacks. The security hole, tracked as CVE-2020-10713 and described as a NULL pointer dereference issue, was reported by Google’s David Benjamin and it impacts all 1.1.1 and 1.0.2 versions.
“The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack,” the OpenSSL Project said in its advisory.