The corrective releases of libraries Openssl ( 3.0.8 , 1.1t ) and libressl (3.5.4, 3.6.2 ) in which dangerous lies ( cve-2023-0286 ), which allows to achieve the contents of arbitrary regions of the process of process when processing the list-controlled list of withdrawn certificates (CRL) or token with Temporary mark .
Vulnerability is caused by improper interpretation of types (Type confusion) when processing the address X.400 in the extension of X.509 Generalname. In particular, the address X.400 was versed using the ASN1_String type, while for the X400ADDRESS field in the General_Name structure, the ASN1_TYPE type was used, which led to use (General_name_CMP) of the ASN1_TYPE type instead of ASN1_STRING. When checking in the list of recalled certificates (exhibiting the flag x509_v_flag_crl_check), the vulnerability allows the attacking to achieve arbitrary pointers to the MemCMP function, which can be used to read the contents of the memory or initiating emergency completion of the process.
The most part, for the successful implementation of the attack, the attacker must control the list of withdrawn certificates (CRL) and Confidence chain certificate. The attack can also be carried out in case of control over one of these elements, but in this case, the address X.400 should appear as the CRL distribution point, which is rare enough. In this regard, it is assumed that vulnerability mainly affects the applications in which its own implementation of the functionality of the CRL download on the network is applied.
In addition to the problem considered in Opensl 3.0.8, somewhat less dangerous vulnerabilities are also eliminated: