A critical security vulnerability (CVE-2023-0217) has been discovered in OpenSSL's EVP_PKEY_public_check() function, which could potentially allow an attacker to cause a denial of service (DoS) attack. This vulnerability involves an invalid pointer dereference on read, which can be triggered when an application tries to check a malformed DSA public key. The vulnerability remains exploitable even if the applications receive public keys from untrusted sources, which could lead to an application crash.

In this long read, we will delve deeper into the details of this vulnerability, including code snippets, links to original references, and exploitation methods.

Affected Versions

The vulnerability has been found in OpenSSL versions before 3..2.

Exploit Details

The EVP_PKEY_public_check() function is used to perform sanity checks on DSA public keys. If the public key is malformed, the function can cause an invalid pointer dereference on read, leading to application crashes.

Although the TLS implementation in OpenSSL does not call this function, applications might still be affected if they employ the function for additional security requirements as required by standards such as FIPS 140-3.

Here's a code snippet highlighting the vulnerable portion

int EVP_PKEY_public_check(const EVP_PKEY *pkey)
   {
       if (pkey->ameth == NULL || pkey->ameth->public_check == NULL) {
           ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
           return -2;
       }
       return pkey->ameth->public_check(pkey);
   }

As seen from the snippet, if the pkey->ameth->public_check pointer is NULL, the operations could fail, causing an invalid pointer dereference.

Mitigation

The OpenSSL project has provided a patch for the affected versions in its repository. The users should apply the patch as soon as possible to prevent potential attacks.

- OpenSSL GitHub Repository - Patch for CVE-2023-0217

For those who cannot immediately patch their systems, a potential workaround is to avoid calling the EVP_PKEY_public_check() function on public keys supplied from untrusted sources.

Conclusion

The CVE-2023-0217 vulnerability found in OpenSSL's EVP_PKEY_public_check() function can potentially allow a remote attacker to cause a denial of service attack. It is essential to update OpenSSL to the patched version or apply the provided patch to keep your applications protected.

For further information, you can refer to the following resources

- CVE-2023-0217 - National Vulnerability Database
- OpenSSL Security Advisory

Timeline

Published on: 02/08/2023 20:15:00 UTC
Last modified on: 02/24/2023 15:15:00 UTC