A new vulnerability (CVE-2023-0215) has been discovered in the public API function BIO_new_NDEF, which is used for streaming ASN.1 data via a BIO in OpenSSL. This is primarily used internally to support the SMIME, CMS, and PKCS7 streaming capabilities but may also be called directly by end-user applications.

The main problem is caused by poor cleanup of the BIO chain in certain conditions, for example, if a CMS recipient public key is invalid. The new filter BIO gets freed, and the function returns a NULL result indicating a failure. However, the BIO passed by the caller still retains internal pointers to the freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO, a use-after-free will occur, ultimately leading to a crash.

Below is a simple code snippet that can trigger the vulnerability (use-after-free) and crash

BIO *bio = BIO_new(BIO_s_mem());
BIO *ndef = BIO_new_NDEF(bio, NULL);

if (!ndef) {
    result = BIO_pop(bio); // Use-after-free occurs here
}

i2d_PKCS7_bio_stream

Notably, the OpenSSL cms and smime command-line applications are also affected by this vulnerability.

The problem resides in the internal function B64_write_ASN1(), which may call BIO_new_NDEF() and will then call BIO_pop() on the BIO if the new BIO is NULL.

- CVE-2023-0215 Detail
- OpenSSL Advisory

Exploit Details

No full working exploit is publicly available at this time, but developers and security teams should take note of this vulnerability and apply any patches or workarounds published by OpenSSL.

It is highly recommended that users update their OpenSSL version as soon as a patch is released to mitigate this vulnerability. The use-after-free problem can lead to crashes in the affected applications and potentially exposes the system to further exploitation.

In conclusion, CVE-2023-0215 presents a significant vulnerability in OpenSSL's BIO_new_NDEF function, and affected users should take appropriate action to protect their systems by applying any patches or workarounds provided by OpenSSL.

Timeline

Published on: 02/08/2023 20:15:00 UTC
Last modified on: 02/24/2023 15:15:00 UTC