In this article, we will be taking a deep dive into a security vulnerability within OpenSSL .9.8s and 1..f, known as CVE-2012-0050, which affects applications utilizing Datagram Transport Layer Security (DTLS) protocol. The vulnerability allows remote attackers to cause a denial of service (DoS) by crashing the affected systems with an out-of-bounds read. It is important to note that this vulnerability exists due to an incorrect fix applied for CVE-2011-4108.

What is DTLS?

DTLS is a protocol that provides communications privacy for datagram protocols. It is a variant of the Secure Sockets Layer (SSL) protocol and is designed to provide encryption and authentication between applications communicating over the internet. You can learn more about the DTLS protocol here.

The Vulnerability

The CVE-2012-0050 vulnerability exists in OpenSSL .9.8s and 1..f due to an incorrect fix for a prior vulnerability (CVE-2011-4108). The incorrect pseudo-code of the specific incorrect fix looks like this:

if(pointer_offset <  || pointer_offset >= buffer_size) {
    // Out-of-bounds access, return error
    return -1;
}
else {
    // Access memory
    char data = buffer[pointer_offset];
}

The block of code above checks if the pointer offset is either negative or greater than or equal to the buffer size. If that condition is true, the code returns an error. However, the correct behavior should be to treat the result as out-of-bounds when the pointer offset is strictly greater than the buffer size.

The correct fix should look like this

if(pointer_offset <  || pointer_offset > buffer_size) {
    // Out-of-bounds access, return error
    return -1;
}
else {
    // Access memory
    char data = buffer[pointer_offset];
}

Due to the incorrect fix, remote attackers can craft specifically designed datagrams that can trigger the out-of-bounds read. This will lead to a crash and ultimately result in a denial of service attack.

Exploit Details

While there are no specific details about the exploits targeting this vulnerability, it is important to understand that remote attackers can craft malformed DTLS packets to target the vulnerable OpenSSL code and cause a system crash. By doing so, they can potentially bring down critical services and infrastructure that rely on OpenSSL for security.

Solutions and Mitigations

Upon the discovery of CVE-2012-0050, a patch was released to address this vulnerability in OpenSSL versions .9.8t and 1..h. The patch applied the correct fix mentioned earlier in this article, thereby mitigating the risk of the denial of service attacks.

If you are using OpenSSL .9.8s or 1..f, it is strongly advised to update to the appropriate patched version to mitigate the risk of a denial of service attack due to this vulnerability. Additionally, it is always a good practice to keep your software and systems updated to the latest versions that contain security patches and improvements.

References

1. CVE-2012-0050
2. CVE-2011-4108
3. OpenSSL Changelog
4. OpenSSL Changelog
5. RFC 4347

Timeline

Published on: 01/19/2012 19:00:00 UTC
Last modified on: 08/19/2016 15:57:01 UTC