Security News > 2022 > March > New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers

The maintainers of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service condition when parsing certificates.

"Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack," OpenSSL said in an advisory published on March 15, 2022.

"The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters."

While there is no evidence that the vulnerability has been exploited in the wild, there are a few scenarios where it could be weaponized, including when TLS clients access a rogue certificate from a malicious server, or when certificate authorities parse certification requests from subscribers.

The vulnerability impacts OpenSSL versions 1.0.2, 1.1.1, and 3.0, the project owners addressed the flaw with the release of versions 1.0.2zd, 1.1.1n, and 3.0.2.

OpenSSL 1.1.0, while also affected, will not receive a fix as it has reached end-of-life.

News URL

https://thehackernews.com/2022/03/new-infinite-loop-bug-in-openssl-could.html