CVE-2023-2650 - Potential Denial of Service Attack Exploiting Specially Crafted ASN.1 Object Identifiers in OpenSSL

A vulnerability has been discovered in OpenSSL, which could cause applications to experience significant delays and potentially lead to a Denial of Service (DoS) attack. This vulnerability is related to the processing of specially crafted ASN.1 object identifiers or data containing them, which may take a very long time to complete.

Impact Summary

Applications that use the OpenSSL function OBJ_obj2txt() directly, or utilize any of the OpenSSL subsystems such as OCSP, PKCS7/SMIME, CMS, CMP/CRMF, or TS are at risk when dealing with ASN.1 object identifiers and data containing them. These applications may experience delays when processing messages containing the said identifiers, leading to potential DoS attacks.

// Example code snippet showing the use of OBJ_obj2txt()
#include <openssl/objects.h>

// ...

ASN1_OBJECT *oid = /* obtain an ASN1_OBJECT */;
char buf[128];
int buf_len = OBJ_obj2txt(buf, sizeof(buf), oid, 1);

Exploit Details

An OBJECT IDENTIFIER in ASN.1 is made up of a series of numbers - sub-identifiers - most of which have no size limit. The OBJ_obj2txt() function is used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form (sub-identifiers in decimal form, separated by periods).

When an OBJECT IDENTIFIER contains a very large sub-identifier (absurdly large, occupying tens or hundreds of KiBs), the translation to a decimal number may take an extremely long time, with a time complexity of O(n^2) where 'n' is the size of the sub-identifiers in bytes.

OpenSSL 3. introduced the support to fetch cryptographic algorithms using names or identifiers in string form, including OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. An OBJECT IDENTIFIER may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in protocols to specify cryptographic algorithms for signing, verifying, encrypting, or decrypting data.

Affected applications include those that call OBJ_obj2txt() directly with untrusted data and applications using OpenSSL 3. and newer, involving subsystems such as OCSP, PKCS7/SMIME, CMS, CMP/CRMF, or TS. The impact on TLS, however, is quite low, since all OpenSSL versions have a 100 KiB limit on the peer's certificate chain.

OpenSSL 1.1.1 and 1..2 are less affected since this issue only impacts displaying various objects like X.509 certificates and is not considered a cause for concern in terms of DoS attacks.

Original References

- OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20230215.txt
- Related GitHub Commit: https://github.com/openssl/openssl/commit/a3c958a1a

Recommended Actions

It is highly recommended to update OpenSSL to the latest version, which includes a fix for this vulnerability. Additionally, developers should be cautious when using the OBJ_obj2txt() function with untrusted data to minimize potential attack surfaces related to this issue.

Timeline

Published on: 05/30/2023 14:15:00 UTC
Last modified on: 06/08/2023 19:15:00 UTC