CVE-2015-5333 – A memory leak vulnerability in LibreSSL's OBJ

Q: What is the severity of CVE-2015-5333?

CVE-2015-5333 has a CVSS score of 7.5 (HIGH). A memory leak vulnerability in LibreSSL's OBJ_obj2txt function allows remote attackers to cause denial of service by consuming all available memory. Attackers can trigger this by sending X.509 certificates containing numerous ASN.1 object identifiers. Systems using vulnerable LibreSSL versions for TLS/SSL operations are affected.

📋 TL;DR

A memory leak vulnerability in LibreSSL's OBJ_obj2txt function allows remote attackers to cause denial of service by consuming all available memory. Attackers can trigger this by sending X.509 certificates containing numerous ASN.1 object identifiers. Systems using vulnerable LibreSSL versions for TLS/SSL operations are affected.

💻 Affected Systems

Products:

LibreSSL

Versions: All versions before 2.3.1

Operating Systems: Any OS running vulnerable LibreSSL

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using LibreSSL for certificate validation in TLS/SSL services are vulnerable. The vulnerability is triggered during certificate parsing.

📦 What is this software?

Libressl by Openbsd

View all CVEs affecting Libressl →

Opensuse by Opensuse

View all CVEs affecting Opensuse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to memory exhaustion, potentially crashing services or the entire system, leading to extended downtime.

🟠

Likely Case

Service degradation or temporary unavailability of affected services using LibreSSL for certificate validation, requiring restart to recover memory.

🟢

If Mitigated

Minimal impact with proper monitoring and memory limits, though some service disruption may still occur during attack.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted X.509 certificates to vulnerable services. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1 and later

Vendor Advisory: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt

Restart Required: Yes

Instructions:

1. Update LibreSSL to version 2.3.1 or later using your system's package manager. 2. For Linux: Use 'apt-get update && apt-get upgrade libressl' (Debian/Ubuntu) or 'yum update libressl' (RHEL/CentOS). 3. Restart all services using LibreSSL. 4. Recompile any applications statically linked to LibreSSL.

🔧 Temporary Workarounds

Rate limit certificate processing

all

Implement rate limiting on services accepting certificates to reduce attack surface

# Configure rate limiting in your web server or application firewall

Memory usage monitoring

all

Monitor memory consumption of services using LibreSSL and implement automatic restarts

# Set up monitoring with tools like Nagios, Zabbix, or custom scripts

🧯 If You Can't Patch

Implement strict certificate validation and reject certificates with excessive ASN.1 object identifiers
Deploy network-based protections like WAFs or IPS to detect and block malicious certificate traffic

🔍 How to Verify

Check if Vulnerable:

Check LibreSSL version: 'libressl version' or 'openssl version' if LibreSSL is installed as openssl replacement

Check Version:

libressl version

Verify Fix Applied:

Verify version is 2.3.1 or higher: 'libressl version | grep -q "2.3.1\|^2\.[4-9]\|^3\." && echo "Patched"'

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption spikes in system logs
Service crashes or restarts related to certificate processing
Error logs mentioning certificate parsing failures

Network Indicators:

High volume of certificate exchanges to single endpoints
Unusually large certificate payloads in network traffic

SIEM Query:

source="*ssl*" OR source="*certificate*" AND (memory_usage>90% OR process_crash=true)

📊 Metadata

CVE ID: CVE-2015-5333

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 23, 2020

Last Updated: November 21, 2024

🔗 References

http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt Release Notes,Vendor Advisory
http://lists.opensuse.org/opensuse-updates/2015-10/msg00050.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/133998/Qualys-Security-Advisory-LibreSSL-Leak-Overflow.html Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/archive/1/archive/1/536692/100/0/threaded Broken Link
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt Release Notes,Vendor Advisory
http://lists.opensuse.org/opensuse-updates/2015-10/msg00050.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/133998/Qualys-Security-Advisory-LibreSSL-Leak-Overflow.html Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/archive/1/archive/1/536692/100/0/threaded Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-5333, you might also want to check these: