A proof-of-concept (PoC) exploit has been published for a recently patched flaw in OpenSSL that allows a remote attacker to perform denial-of-service (DoS) attacks.
The vulnerability, tracked as CVE-2020-1967, affects OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, but does not impact older versions 1.0.2 and 1.1.0. The flaw described as a NULL pointer dereference error within the SSL_check_chain() function during or after a TLS 1.3 handshake can be exploited to cause a denial of service condition by sending an invalid or unrecognized signature algorithm.
The bug was patched on April 21 with the release of OpenSSL 1.1.1g.
Now, security researcher Imre Rad has released a PoC exploit code for the CVE-2020-1967, along with technical details describing the exploitation process.
The researcher said the exploitation process is quite simple, one just needs to send the malicious payload to the vulnerable server using, for example, the patched openssl s_client utility available on GitHub. The vulnerability also can be exploited via a man-in-the-middle (MitM) attack or by setting up a malicious TLS server and tricking a vulnerable client to connect to it.
“To exploit this vulnerability, a crafted signature_algorithms_cert TLS extension needs to be submitted as part of the Hello message. I used a patched version of the openssl library to build such a client; the server is the built-in s_server openssl app, along with the -x options to activate the code path that invokes SSL_check_chain,” Rad noted in a description posted on GitHub.