Welcome to Centmin Mod Community
Become a Member

Security OpenSSL New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers

Discussion in 'CentOS, Redhat & Oracle Linux News' started by pamamolf, Mar 17, 2022.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,991
    416
    83
    May 31, 2014
    Ratings:
    +806
    Local Time:
    4:35 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    The maintainers of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates.

    Tracked as CVE-2022-0778 (CVSS score: 7.5),

    the issue stems from parsing a malformed certificate with invalid explicit elliptic-curve parameters, resulting in what's called an "infinite loop." The flaw resides in a function called BN_mod_sqrt() that's used to compute the modular square root.


    "Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack," OpenSSL said in an advisory published on March 15, 2022.

    "The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters."

    While there is no evidence that the vulnerability has been exploited in the wild, there are a few scenarios where it could be weaponized, including when TLS clients (or servers) access a rogue certificate from a malicious server (or client), or when certificate authorities parse certification requests from subscribers.

    The vulnerability impacts OpenSSL versions 1.0.2, 1.1.1, and 3.0, the project owners addressed the flaw with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. OpenSSL 1.1.0, while also affected, will not receive a fix as it has reached end-of-life.

    Credited with reporting the flaw on February 24, 2022 is Google Project Zero security researcher Tavis Ormandy. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL.

    CVE-2022-0778 is also the second OpenSSL vulnerability resolved since the start of the year. On January 28, 2022, the maintainers fixed a moderate-severity flaw (CVE-2021-4160, CVSS score: 5.9) affecting the library's MIPS32 and MIPS64 squaring procedure.
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,301
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,576
    Local Time:
    11:35 PM
    Nginx 1.21.x
    MariaDB 10.x
    Thanks for the heads up, updated Centmin Mod 123.09beta01 so run cmupdate and then re-run centmin.sh menu option 4 to recompile Nginx
    Code (Text):
    cmupdate
    No local changes to save
    Updating 11242b2..5f6f2d2
    Fast-forward
     centmin-cli.sh            | 8 ++++----
     centmin.sh                | 8 ++++----
     example/custom_config.inc | 6 +++---
     3 files changed, 11 insertions(+), 11 deletions(-)
    

    After centmin.sh menu option 4 Nginx recompile
    Also see https://community.centminmod.com/threads/centmin-mod-nginx-openssl-1-1-1n-security-update.22544/
     
    Last edited: Mar 17, 2022
  3. happyhacking

    happyhacking Premium Member Premium Member

    82
    14
    8
    Apr 23, 2021
    Ratings:
    +47
    Local Time:
    8:35 AM
    1.22.0
    MariadDB 10.4.25
    Thank you for the quick response to this security incident
     
  4. eva2000

    eva2000 Administrator Staff Member

    49,301
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,576
    Local Time:
    11:35 PM
    Nginx 1.21.x
    MariaDB 10.x
    You're welcome.

    FYI as to CentOS/Redhat 7 system OpenSSL the issue seems not to apply according to Red Hat Customer Portal - Access to 24x7 support and knowledge