Brendan Ang

Search

Search IconIcon to open search

X.509 Email Address Vulnerability

Last updated Mar 27, 2023 Edit Source

# How it happened

The vulnerability is caused by a 4-byte buffer overflow that can be triggered in OpenSSL X.509 certificate verification. This is caused by an off-by-one error inside the function ossl_punycode_decode in the OpenSSL Punycode library, which is used for email name constraint checking.

Punycode is an encoding for representing Unicode characters in multiple languages using ASCII character subset and the vulnerable code was introduced in OpenSSL version 3.0 to to support punycode decoding, for example, email addresses of non-ASCII characters. Specifically, the “max length” argument passed to this function is not verified if out of bounds.

# The (potential) effect/impact of the security incident

The vulnerability allows an attacker to craft a malicious email address which if decoded to exactly 4 more bytes more than the maximum length, will overwrite the memory space immediately following the decoded string. This allows the attacker to control the overflowed 4 bytes on the stack which could cause a crash and subsequently a denial of service, or potentially result in remote code execution. Thus, this vulnerability was initially labelled as critical.

The vulnerable constraint name checking occurs after certificate chain signature verification. This means that an attacker can exploit the vulnerability in 2 ways:

  1. Create a malicious certificate and have a certificate authority sign it. Host a server with the certificate, attacking incoming TLS clients.
  2. A TLS server application requesting client authentication could continue certificate verification of the malicious certificate insecurely, causing the overflow to run on the server.

However, many platforms implement stack overflow protection which would help to mitigate against the risk of remote code execution. Additionally, on certain Linux distributions, the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used. This means that no crash or remote code execution was possible. In light of the reduced likelihood of remote code execution, the incident was downgraded to high.

# How it was detected

The issue was reported to OpenSSL on 17th October 2022 by the security researcher Polar Bear, who was performing an audit of OpenSSL code.

# How it was handled

Prenotification to several organisations helped to obtain feedback and technical details of the overflow on various common architectures and platforms. However, the prenotification did not include most security vendors, raising a lot of criticism.

# How it was communicated (to specialists/researchers/public authorities/the public),

OpenSSL notified various organisations under their prenotification policy on 25 October 2022 that a critical fix was pending. On 1 November 2022, a security advisory was published along with the release of version 3.0.7, with recommendations for users to upgrade from OpenSSL version 3.0 to 3.0.7.

# Fixed (or not fixed)

Fixes were developed by Dr Paul Dale and released as OpenSSL version 3.0.7 on 1 November 2022.

# References