CVE-2023-0286
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/02/2023
Last modified:
04/11/2025
Description
There is a type confusion vulnerability relating to X.400 address processing<br />
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but<br />
the public structure definition for GENERAL_NAME incorrectly specified the type<br />
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by<br />
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an<br />
ASN1_STRING.<br />
<br />
When CRL checking is enabled (i.e. the application sets the<br />
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass<br />
arbitrary pointers to a memcmp call, enabling them to read memory contents or<br />
enact a denial of service. In most cases, the attack requires the attacker to<br />
provide both the certificate chain and CRL, neither of which need to have a<br />
valid signature. If the attacker only controls one of these inputs, the other<br />
input must already contain an X.400 address as a CRL distribution point, which<br />
is uncommon. As such, this vulnerability is most likely to only affect<br />
applications which have implemented their own functionality for retrieving CRLs<br />
over a network.
Impact
Base Score 3.x
7.40
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.0.2 (including) | 1.0.2zg (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.1.1 (including) | 1.1.1t (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.8 (excluding) |
| cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:* | 3.3.3 (excluding) | |
| cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:* | 2.7.0 (including) | 2.7.11 (excluding) |
| cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:* | 2.8.0 (including) | 3.7.34 (excluding) |
| cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:* | 3.8.0 (including) | 3.11.22 (excluding) |
| cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:* | 4.0.0 (including) | 4.3.16 (excluding) |
| cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:* | 4.4.0 (including) | 4.6.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D2f7530077e0ef79d98718138716bc51ca0cad658
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3Dfd2af07dc083a350c959147097003a14a5e8ac4d
- https://security.gentoo.org/glsa/202402-08
- https://www.openssl.org/news/secadv/20230207.txt
- https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D2f7530077e0ef79d98718138716bc51ca0cad658
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3Dfd2af07dc083a350c959147097003a14a5e8ac4d
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
- https://security.gentoo.org/glsa/202402-08
- https://www.openssl.org/news/secadv/20230207.txt