Security News > 2021 > December > Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble
2021-12-17 19:57

Simply put, some internal errors in OpenSSL - a genuine but unlikely error, for example, such as running out of memory, or a flaw elsewhere in OpenSSL that provokes an error where there wasn't one - don't get reported correctly.

Instead of percolating back to your application precisely, these errors get "Remapped" as they are passed back up the call chain in OpenSSL, where they ultimately show up as a completely different sort of error.

Neither of these techniques can recover error codes that happened before the last one: there's no GetSecondLastError() function, and the errno variable is not an ever-shifting array of historical error codes.

Ironically, perhaps, the OpenSSL 3.0.0 "Error percolation" bug can only be triggered when OpenSSL is trying to improve security by verifying a digital certificate supplied by a remote server.

As the OpenSSL advisory explains, the first way this bug may be triggered is when one sort of error, such as a memory error, inadvertently comes back to you as a "You need to try this again" type of error.

The second way is if a separate and just-fixed OpenSSL bug, not worthy of a CVE on its own, triggers the bogus "You need to try this again" error even though no error occurred.


News URL

https://nakedsecurity.sophos.com/2021/12/17/serious-security-openssl-fixes-error-conflation-bugs-how-mixing-up-mistakes-can-lead-to-trouble/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119