CVE-2023-0466 - Potential OpenSSL Vulnerability with X509_VERIFY_PARAM_add_policy() Function

A potential vulnerability has been identified in the OpenSSL cryptographic library, specifically in the X509_VERIFY_PARAM_add_policy() function. This vulnerability could allow certificates with invalid or incorrect policies to bypass the intended certificate verification process. While this vulnerability has not yet been assigned an official CVE identifier, we will use the placeholder CVE-2023-0466 for the purpose of this discussion.

Details

The OpenSSL documentation states that the X509_VERIFY_PARAM_add_policy() function should implicitly enable the certificate policy check during certificate verification. However, the implementation of the function does not actually enable the check, posing a security risk.

Here's a code snippet

#include <openssl/x509_vfy.h>
...
X509_VERIFY_PARAM *vpm;
vpm = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_add_policy(vpm, policy); // This does not enable policy checks!

Although implementing the correct behavior could mitigate this vulnerability, it could potentially break existing deployments. Therefore, it has been decided to retain the existing implementation of the X509_VERIFY_PARAM_add_policy() function.

Workaround

To work around this issue, applications requiring OpenSSL to perform certificate policy checks should use the X509_VERIFY_PARAM_set1_policies() function or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument, as shown in the following code snippet:

#include <openssl/x509_vfy.h>
...
X509_VERIFY_PARAM *vpm;
vpm = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK); // This does enable policy checks!

Impact

It is important to note that certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. Hence, the overall impact of this vulnerability is limited.

Conclusion

We recommend reviewing any instances where the X509_VERIFY_PARAM_add_policy() function is being used within your applications and implementing the provided workaround to ensure certificate policy checks are properly enabled, reducing the risk associated with CVE-2023-0466. Additionally, developers should continue to monitor updates pertaining to this vulnerability for further mitigation strategies and possible patch releases.

Timeline

Published on: 03/28/2023 15:15:00 UTC
Last modified on: 04/14/2023 23:15:00 UTC