CVE-2023-0464
📋 TL;DR
This OpenSSL vulnerability allows attackers to cause denial-of-service by exploiting certificate policy constraint processing. When enabled, malicious certificate chains can trigger exponential resource consumption, potentially crashing affected systems. Only systems with certificate policy processing enabled are vulnerable.
💻 Affected Systems
- OpenSSL
📦 What is this software?
Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to resource exhaustion, potentially affecting all services using OpenSSL with policy processing enabled.
Likely Case
Service degradation or temporary unavailability of specific applications using OpenSSL with policy processing enabled.
If Mitigated
Minimal impact since policy processing is disabled by default; only explicitly configured systems are affected.
🎯 Exploit Status
Exploitation requires ability to present malicious certificate chains to vulnerable systems with policy processing enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenSSL 1.1.1t, 3.0.8, 3.1.2
Vendor Advisory: https://www.openssl.org/news/secadv/20230530.txt
Restart Required: Yes
Instructions:
1. Identify OpenSSL version with 'openssl version'. 2. Update to patched version via package manager (apt-get upgrade openssl, yum update openssl, etc.). 3. Restart all services using OpenSSL. 4. Verify update with 'openssl version'.
🔧 Temporary Workarounds
Disable certificate policy processing
allEnsure certificate policy processing is not enabled in OpenSSL configurations
Remove '-policy' arguments from OpenSSL command line usage
Remove calls to X509_VERIFY_PARAM_set1_policies() in applications
🧯 If You Can't Patch
- Ensure certificate policy processing is disabled in all configurations
- Implement network controls to limit certificate chain processing from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check OpenSSL version with 'openssl version' and verify if below 1.1.1t, 3.0.8, or 3.1.2. Also check if policy processing is enabled in configurations.Check Version:
openssl versionVerify Fix Applied:
Run 'openssl version' to confirm version is 1.1.1t, 3.0.8, 3.1.2 or higher.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes in OpenSSL processes
- Certificate validation failures or timeouts
- Application crashes related to SSL/TLS handshakes
Network Indicators:
- Unusual certificate chain submissions
- Multiple failed SSL/TLS handshake attempts
SIEM Query:
source="*ssl*" AND ("certificate policy" OR "policy constraint") AND (error OR timeout OR crash)🔗 References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
- https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- https://security.gentoo.org/glsa/202402-08
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.couchbase.com/alerts/
- https://www.debian.org/security/2023/dsa-5417
- https://www.openssl.org/news/secadv/20230322.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
- https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- https://security.gentoo.org/glsa/202402-08
- https://security.netapp.com/advisory/ntap-20230406-0006/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.couchbase.com/alerts/
- https://www.debian.org/security/2023/dsa-5417
- https://www.openssl.org/news/secadv/20230322.txt
