OpenSSL v1.1.1k and Below Are Affected by the Vulnerabilities
Several companies that use the OpenSSL cryptography library toolkit are reportedly scrambling to release security advisories to their users following patching of two vulnerabilities in the library, which were first fixed and disclosed to users on Aug. 24. The companies are now informing users about the affected products, versions and fixes available for these flaws.
CVE-2021-3711 is a high-severity, CVSS 9.8, critical SM2 decryption buffer overflow vulnerability, and CVE-2021-3712 is a high-severity, CVSS 7.4 buffer overrun flaw that can result in a denial-of-service attack.
At the time of the initial disclosure, the number of organizations and products affected by these OpenSSL flaws was not known. Now, however, several tech giants, including
Alpine Linux, Debian, Red Hat, Ubuntu, and SUSE, along with network-attached storage device manufacturers
QNAP and Synology, have all issued security advisories to alert their users.
There have not been any reports so far of the vulnerabilities being exploited in the wild.
Details About the Vulnerabilities
OpenSSL notes that CVE-2021-3711 is a miscalculation of a buffer size found in its SM2 decryption function. This allows around 62 arbitrary bytes of data to be written outside the buffer.
“A remote attacker could use this flaw to crash an application supporting SM2 signature or encryption algorithm, or possibly execute arbitrary code with the permissions of the user running that application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability,” says Red Hat’s advisory.
CVE-2021-3712 was first identified by Ingo Schwarze in the X509_aux_print() function. He reported his findings to OpenSSL on July 18. OpenSSL committed the fix on July 20, but on Aug. 17, security researcher David Benjamin identified other instances of this vulnerability. Those were later fixed by OpenSSL developer Matt Caswell.
“If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions, then this issue could be hit,” the OpenSSL advisory says. “This might result in a crash [causing a DoS attack]. It could also result in the disclosure of private memory contents [such as private keys, or sensitive plaintext]”
The Alpine Linux operating system has released version 3.14.2 for the immediate fix of both the OpenSSL vulnerabilities and has urged its users to upgrade at the earliest opportunity.
Ubuntu has also fixed these flaws with the release of its latest package versions: 1.1.1j-1ubuntu3.5 for Ubuntu 21.04, 1.1.1f-1ubuntu2.8 for Ubuntu 20.04 and 1.1.1-1ubuntu2.1~18.04.13 for Ubuntu 18.04
Red Hat’s Enterprise versions of Linux 7 and 8 are widely in use, but the company clarified that both versions of this product are not affected by the CVE-2021-3711 flaw as they both do not support the SM2 algorithm. But Red Hat stated that its Advanced Cluster Management for Kubernetes 2.3.1 and versions before that use the vulnerable OpenSSL library. It added, however, that “the vulnerable code path is not reachable,” and therefore, exploitation is prevented.
NAS device manufacturer QNAP’s security advisory notes that its NAS products running on Hybrid Backup Sync 3 are reportedly affected by these two out-of-bound vulnerabilities. QNAP says it is still “thoroughly investigating the case,” adding, “We will release security updates and provide further information as soon as possible.”
Synology has also informed its users that no mitigation is currently available but its product line that includes Synology DiskStation Manager, Synology Router Manager, and VPN Plus Server or VPN Server are all “susceptible” to these flaws.
Another popular data management and enterprise application provider, NetApp, has notified users they could be affected by CVE-2021-3712, which uses OpenSSL 1.0.2 for NetApp Manageability SDK 9.8P1-P2.
The alpha and beta versions of OpenSSL 3.0 are also affected by these flaws, but “this issue will be addressed before the final release,” says OpenSSL.
Apart from the security advisories of the respective companies, governmental agencies such as the U.S. Cybersecurity and Infrastructure Security Agency, India’s National Critical Information Infrastructure Protection Center and JPCERT in Japan have also advised users to upgrade their vulnerable versions to the latest patched OpenSSL version.