Security News > 2022 > March > OpenSSL cert parsing bug causes infinite denial of service loop
OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions.
Certificates causing DoS. In this case, the high-severity OpenSLL problem lies in a bug on the BN mod sqrt() function, that if served a maliciously crafted certificate to parse, it will enter an infinite loop.
"Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack," describes OpenSSL's security notice.
Google's security researcher Tavis Ormandy discovered the certificate parsing vulnerability and reported his findings to the OpenSSL team on February 24, 2022.
The fixed versions released yesterday are 1.1.1n and 3.0.2, while only premium users of 1.0.2 will be offered a fix through 1.0.2zd. Because version 1.0.2 does not parse the public key during the parsing of the certificate, the infinite loop is slightly more complicated to trigger than the other versions, but it's still doable.
Although OpenSSL has not said that the bug is already used by threat actors, Italy's national cybersecurity agency, CSIRT, has marked it as actively exploited in the wild.