Conversation

OpenSSL security fixes dropped. CVE-2021-3450 is a complete certificate verification bypass in niche non-standard configurations. CVE-2021-3449 is a NULL pointer dereference crash in default server configurations. openssl.org/news/secadv/20

129

235

Filippo Valsorda

@FiloSottile

Mar 25, 2021

CVE-2021-3450 is kinda delightful because it was introduced by a change that rejects custom curve parameters (which is what broke Windows last year), and it only affects X509_V_FLAG_X509_STRICT mode. Complexity is killer.

Filippo Valsorda

@FiloSottile

Mar 25, 2021

CVE-2021-3449 looks like it could have been found easily if anyone figured out how to fuzz renegotiation, but renegotiation is sadness. Anyway, sounds like you can crash most OpenSSL servers on the Internet today.

Filippo Valsorda

@FiloSottile

Mar 25, 2021

Complexity (like custom curve parameters) not only breeds vulnerabilities (like the Windows certificate check bypass) but also complex patches, which in turn breed more vulnerabilities (CVE-2021-3449). Previously:

blog.cloudflare.com

Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it’s in the code that fixes Lucky13.

Filippo Valsorda

@FiloSottile

Mar 29, 2021

Nice extra lesson from CVE-2021-3450: code that the application doesn't need should be unreachable, not just disabled. Nginx disables renegotiation, but not in a way that protects it from the crash, because until recently the only way was a callback.

Quote Tweet

Filippo Valsorda

@FiloSottile

Mar 29, 2021

Replying to @fapolloner @terorie_dev and @DanielMicay

My guess is that to be protected one needs to set SSL_OP_NO_RENEGOTIATION which is not the nginx default. mailman.nginx.org/pipermail/ngin Instead, I think nginx by default cancels renegotiation via SSL_CTX_set_info_callback, which is too late. github.com/nginx/nginx/bl

Replying to

They disable it via SSL_OP_NO_RENEGOTIATION since hg.nginx.org/nginx/rev/dcab. 3 years ago isn't all that recent. They have a mainline release and an LTS release. The SSL_OP_NO_RENEGOTIATION. It got into mainline in 1.15.4 and the LTS branch in 1.16.0. Current LTS release is 1.18.

Replying to

* stares in Debian Stable * packages.debian.org/buster/nginx

Replying to

I think there are bigger issues than denial of service to worry about when deploying that in production. They only have 4 additional security fixes backported and there's a lot more than that available... nginx doesn't get a CVE assignment for each fix with security implications.

Replying to

and

If you take a look at the nginx changelog, they have assorted memory corruption fixes, denial of service fixes, etc. over the past few years. A lot of those are relevant to the obsolete LTS branches. Distributions freezing versions for years have their heads buried in the sand.

Replying to

and

I wouldn't necessarily want to run nginx mainline in production even though that's the upstream suggestion but the LTS branch is very stable. I don't really understand why people even want their distribution freezing packages for literally years with hardly any fixes backported.

1:30 PM · Mar 29, 2021Twitter Web App

Replying to

Oh I hear you, I don't run Debian stable and derivatives anywhere. However my point was more that the original OpenSSL design for how to disable renegotiation was flawed.