cbcvebase.
CVE-2023-0286
published 2023-02-08

CVE-2023-0286: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the…

PriorityP264high7.4CVSS 3.1
AVNACHPRNUINSUCHINAH
EPSS
59.50%
99.0th percentile
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Affected

60 ranges· showing 25
VendorProductVersion rangeFixed in
cryptography.iocryptography>= 0.8.1 < 39.0.139.0.1
debianopenssl< openssl 3.0.8-1 (bookworm)openssl 3.0.8-1 (bookworm)
msrcazl3_edk2_20230301gitf80f052277c8-37_on_azure_linux_3.0
msrcazl3_hvloader_1.0.1-2_on_azure_linux_3.0
msrcazl3_hvloader_1.0.1-4_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_rust_1.75.0-14_on_azure_linux_3.0
msrcazl3_rust_1.86.0-1_on_azure_linux_3.0
msrccbl2_cloud-hypervisor_30.0-2_on_cbl_mariner_2.0
msrccbl2_hvloader_1.0.1-2_on_cbl_mariner_2.0
msrccbl2_openssl_1.1.1k-21_on_cbl_mariner_2.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_qemu_6.2.0-24_on_cbl_mariner_2.0
msrccbl2_reaper_3.1.1-6_on_cbl_mariner_2.0
msrccbl2_rust_1.68.2-5_on_cbl_mariner_2.0
msrccm1_cloud-hypervisor_22.0-2_on_cbl_mariner_1.0
msrccm1_openssl_1.1.1k-13_on_cbl_mariner_1.0
msrccm1_rust_1.59.0-1_on_cbl_mariner_1.0
nodejsnodejs>= 0 < 12.22.9~dfsg-1ubuntu3.312.22.9~dfsg-1ubuntu3.3
opensslopenssl>= 0 < 1.1.1t-r01.1.1t-r0
opensslopenssl>= 0 < 1.1.1t-r01.1.1t-r0
opensslopenssl>= 0 < 1.1.1t-r01.1.1t-r0
opensslopenssl>= 0 < 3.0.8-r03.0.8-r0
opensslopenssl>= 0 < 3.0.8-r03.0.8-r0
opensslopenssl>= 0 < 3.0.8-r03.0.8-r0

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: CRL checking must be enabled via X509_V_FLAG_CRL_CHECK flag; monitor applications that set this flag and receive externally supplied certificate chains and CRLs
  • Attack vector: attacker supplies both a crafted certificate chain and a crafted CRL — neither requires a valid signature; inspect TLS/CRL inputs for X.400 addresses in GeneralName fields
  • Narrow-scope indicator: presence of an X.400 address in a CRL distribution point field of a certificate or CRL is a strong anomaly indicator worth alerting on
  • Highest-risk application profile: applications that implement their own CRL retrieval over a network (not relying on OS/library defaults) are the primary target surface
  • Vulnerable function: GENERAL_NAME_cmp in OpenSSL misinterprets x400Address as ASN1_TYPE instead of ASN1_STRING; crash or memory-read via memcmp with attacker-controlled pointer is the observable effect
  • ·Exploitation requires CRL checking to be explicitly enabled; applications that do not set X509_V_FLAG_CRL_CHECK are not affected
  • ·shim in Red Hat Enterprise Linux 8 & 9 is not affected because shim does not support any CRL processing
  • ·Siemens BFCClient workaround: disable CRL checking if patching to V2.17 is not immediately possible
  • ·If the attacker controls only one input (certificate chain OR CRL), exploitation is significantly harder and requires the other input to already contain an X.400 address CRL distribution point

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
ghsa7.4HIGH
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian7.4HIGH
vendor_msrc7.4HIGH
vendor_oracle7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.