CVE-2023-35784: Exploring the Double Free or Use After Free Vulnerability in OpenBSD and LibreSSL

A recent vulnerability, designated as CVE-2023-35784, has been reported in the OpenBSD operating system's SSL module and the LibreSSL library, both widely used for secure communications. This security issue is categorized as a "double free" or "use after free" vulnerability, which could potentially be exploited by attackers to crash applications or execute arbitrary code on target systems. It is important to note that OpenSSL, another widely used SSL library, is not affected by this vulnerability. In this post, we will delve into the details of this issue, examine how it arises, and discuss the available fixes and mitigations.

Vulnerable Components

1. OpenBSD 7.2 before errata 026, and 7.3 before errata 004: OpenBSD releases up to these versions are affected by the vulnerability. Details on the specific errata addressing the issue can be found on the OpenBSD Errata page for 7.2 and 7.3.
2. LibreSSL before 3.6.3 and 3.7.x before 3.7.3: LibreSSL is an alternative SSL library that is commonly used in place of OpenSSL. Versions before these specified releases are affected by the vulnerability. You can find release notes and other details on the LibreSSL Release page.

How the Issue Occurs

The vulnerability is triggered after a call to the SSL_clear function in the affected SSL libraries. When a connection is closed, and memory is to be re-used for another connection, it might lead to a double free or use after free vulnerability. This happens because the memory for the connection is first freed normally (first free) and then potentially freed again when SSL_clear is called (double free). A simplified code snippet demonstrating this issue can be found below:

#include <openssl/ssl.h>

void vulnerable_function(SSL *ssl) {
    ...
    SSL_shutdown(ssl);
    SSL_free(ssl); // First memory free
    ...
    SSL_clear(ssl); // Potential second memory free
}

Exploiting the Vulnerability

An attacker could potentially exploit this vulnerability by causing a target application using the affected SSL libraries to crash or even execute arbitrary code. The attacker would need to establish a connection to the target application and then send crafted SSL packets that trigger the vulnerability. Further details on exploitation of this vulnerability can be found in this research paper. *Please note that this link is provided for educational purposes only, and we do not encourage or endorse malicious activities.*

Fixes and Mitigations

To patch and protect your systems against this vulnerability, it is essential to update the affected components as follows:

1. OpenBSD users should update to versions 7.2 after applying errata 026 or 7.3 after applying errata 004. Instructions on updating OpenBSD are available on the OpenBSD FAQ page.
2. LibreSSL users should update to versions 3.6.3 or 3.7.3, depending on the branch being used. Links to updated LibreSSL releases can be found on the LibreSSL Release page.

Conclusion

CVE-2023-35784 is a critical security vulnerability that has been identified in OpenBSD and LibreSSL. Both organizations have addressed this issue in their latest updates. As always, it is crucial to keep your software updated and apply all necessary patches to ensure the security of your applications and systems.

Timeline

Published on: 06/16/2023 20:15:00 UTC
Last modified on: 06/26/2023 22:16:00 UTC