CVE-2021-46880 – This vulnerability in LibreSSL and OpenBSD's ce... (How to Fix)

Q: What is the severity of CVE-2021-46880?

CVE-2021-46880 has a CVSS score of 9.8 (CRITICAL). This vulnerability in LibreSSL and OpenBSD's certificate verification allows authentication bypass by discarding errors for unverified certificate chains. Attackers can impersonate trusted entities to gain unauthorized access. Systems using affected versions of LibreSSL or OpenBSD are vulnerable.

📋 TL;DR

This vulnerability in LibreSSL and OpenBSD's certificate verification allows authentication bypass by discarding errors for unverified certificate chains. Attackers can impersonate trusted entities to gain unauthorized access. Systems using affected versions of LibreSSL or OpenBSD are vulnerable.

💻 Affected Systems

Products:

LibreSSL
OpenBSD

Versions: LibreSSL before 3.4.2, OpenBSD before 7.0 errata 006

Operating Systems: OpenBSD, Systems using LibreSSL library

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using affected LibreSSL versions for TLS/SSL certificate verification is vulnerable.

📦 What is this software?

Libressl by Openbsd

View all CVEs affecting Libressl →

Openbsd by Openbsd

View all CVEs affecting Openbsd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via TLS/SSL authentication bypass, allowing attackers to impersonate any trusted server or client.

🟠

Likely Case

Man-in-the-middle attacks intercepting and decrypting encrypted communications, credential theft, and unauthorized access to services.

🟢

If Mitigated

Limited impact if certificate pinning or additional authentication layers are implemented, but TLS trust is still broken.

🌐 Internet-Facing: HIGH - Directly exposes TLS/SSL services to authentication bypass attacks from external attackers.

🏢 Internal Only: HIGH - Internal TLS/SSL communications and authentication can be bypassed by internal threat actors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to TLS/SSL services but no authentication. The vulnerability is in certificate chain verification logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LibreSSL 3.4.2, OpenBSD 7.0 with errata 006

Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt

Restart Required: Yes

Instructions:

1. Update LibreSSL to version 3.4.2 or later. 2. For OpenBSD, apply errata 006 patch or upgrade to patched version. 3. Restart all services using LibreSSL/TLS.

🔧 Temporary Workarounds

Certificate Pinning

all

Implement certificate pinning in applications to bypass vulnerable verification logic.

Application-specific configuration required

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems.
Use alternative TLS libraries or implementations for critical services.

🔍 How to Verify

Check if Vulnerable:

Check LibreSSL version with 'libressl version' or OpenBSD version with 'uname -a'. Verify if version is below patched versions.

Check Version:

libressl version

Verify Fix Applied:

Confirm version is LibreSSL 3.4.2+ or OpenBSD 7.0 with errata 006 applied. Test certificate verification with invalid chains.

📡 Detection & Monitoring

Log Indicators:

Unexpected successful TLS handshakes with invalid certificates
Certificate verification errors being ignored in logs

Network Indicators:

Suspicious TLS connections bypassing normal authentication
Unexpected certificate chains in TLS traffic

SIEM Query:

Search for successful TLS connections where certificate validation would normally fail.

📊 Metadata

CVE ID: CVE-2021-46880

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-295

Published: April 15, 2023

Last Updated: February 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46880, you might also want to check these: