// For flags

CVE-2021-3712

Read buffer overruns processing ASN.1 strings

Severity Score

7.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

Las cadenas ASN.1 se representan internamente en OpenSSL como una estructura ASN1_STRING que contiene un búfer que contiene los datos de la cadena y un campo que contiene la longitud del búfer. Esto contrasta con las cadenas C normales, que se representan como un búfer para los datos de la cadena que termina con un byte NUL (0). Aunque no es un requisito estricto, las cadenas ASN.1 que se analizan usando las propias funciones "d2i" de OpenSSL (y otras funciones de análisis similares), así como cualquier cadena cuyo valor ha sido ajustado con la función ASN1_STRING_set(), terminarán adicionalmente con NUL la matriz de bytes en la estructura ASN1_STRING. Sin embargo, es posible que las aplicaciones construyan directamente estructuras ASN1_STRING válidas que no terminen en NUL la matriz de bytes, ajustando directamente los campos "data" y "length" en la matriz ASN1_STRING. Esto también puede ocurrir usando la función ASN1_STRING_set0(). Se ha detectado que numerosas funciones de OpenSSL que imprimen datos ASN.1 asumen que la matriz de bytes ASN1_STRING estará terminada en NUL, aunque esto no está garantizado para las cadenas que han sido construidas directamente. Cuando una aplicación pide que se imprima una estructura ASN.1, y cuando esa estructura ASN.1 contiene ASN1_STRINGs que han sido construidos directamente por la aplicación sin terminar en NUL el campo "data", entonces puede ocurrir un desbordamiento del buffer de lectura. Lo mismo puede ocurrir durante el procesamiento de las restricciones de nombre de los certificados (por ejemplo, si un certificado ha sido construido directamente por la aplicación en lugar de cargarlo por medio de las funciones de análisis de OpenSSL, y el certificado contiene estructuras ASN1_STRING sin terminación NUL). También puede ocurrir en las funciones X509_get1_email(), X509_REQ_get1_email() y X509_get1_ocsp(). Si un actor malicioso puede hacer que una aplicación construya directamente un ASN1_STRING y luego lo procese a mediante una de las funciones de OpenSSL afectadas, este problema podría ser alcanzado. Esto podría resultar en un bloqueo (causando un ataque de Denegación de Servicio). También podría resultar en la revelación de contenidos de memoria privada (como claves privadas, o texto plano confidencial). Corregido en OpenSSL versión 1.1.1l (Afectada 1.1.1-1.1.1k). Corregido en OpenSSL versión 1.0.2za (Afectada 1.0.2-1.0.2y).

It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability.

*Credits: Ingo Schwarze
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-16 CVE Reserved
  • 2021-08-24 CVE Published
  • 2024-07-30 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
CAPEC
References (23)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
>= 1.0.2 < 1.0.2za
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2za"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
>= 1.1.1 < 1.1.1l
Search vendor "Openssl" for product "Openssl" and version " >= 1.1.1 < 1.1.1l"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Netapp
Search vendor "Netapp"
Clustered Data Ontap
Search vendor "Netapp" for product "Clustered Data Ontap"
--
Affected
Netapp
Search vendor "Netapp"
Clustered Data Ontap Antivirus Connector
Search vendor "Netapp" for product "Clustered Data Ontap Antivirus Connector"
--
Affected
Netapp
Search vendor "Netapp"
E-series Santricity Os Controller
Search vendor "Netapp" for product "E-series Santricity Os Controller"
>= 11.0 <= 11.50.2
Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.50.2"
-
Affected
Netapp
Search vendor "Netapp"
Hci Management Node
Search vendor "Netapp" for product "Hci Management Node"
--
Affected
Netapp
Search vendor "Netapp"
Manageability Software Development Kit
Search vendor "Netapp" for product "Manageability Software Development Kit"
--
Affected
Netapp
Search vendor "Netapp"
Santricity Smi-s Provider
Search vendor "Netapp" for product "Santricity Smi-s Provider"
--
Affected
Netapp
Search vendor "Netapp"
Solidfire
Search vendor "Netapp" for product "Solidfire"
--
Affected
Netapp
Search vendor "Netapp"
Storage Encryption
Search vendor "Netapp" for product "Storage Encryption"
--
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
< 5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version " < 5.10.0"
-
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
-
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_1
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_10
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_2
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_3
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_4
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_5
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_6
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_7
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_8
Affected
Mcafee
Search vendor "Mcafee"
Epolicy Orchestrator
Search vendor "Mcafee" for product "Epolicy Orchestrator"
5.10.0
Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"
update_9
Affected
Tenable
Search vendor "Tenable"
Nessus Network Monitor
Search vendor "Tenable" for product "Nessus Network Monitor"
< 6.0.0
Search vendor "Tenable" for product "Nessus Network Monitor" and version " < 6.0.0"
-
Affected
Tenable
Search vendor "Tenable"
Tenable.sc
Search vendor "Tenable" for product "Tenable.sc"
>= 5.16.0 <= 5.19.1
Search vendor "Tenable" for product "Tenable.sc" and version " >= 5.16.0 <= 5.19.1"
-
Affected
Oracle
Search vendor "Oracle"
Essbase
Search vendor "Oracle" for product "Essbase"
< 11.1.2.4.047
Search vendor "Oracle" for product "Essbase" and version " < 11.1.2.4.047"
-
Affected
Oracle
Search vendor "Oracle"
Essbase
Search vendor "Oracle" for product "Essbase"
>= 21.0 < 21.3
Search vendor "Oracle" for product "Essbase" and version " >= 21.0 < 21.3"
-
Affected
Oracle
Search vendor "Oracle"
Essbase
Search vendor "Oracle" for product "Essbase"
21.3
Search vendor "Oracle" for product "Essbase" and version "21.3"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Connectors
Search vendor "Oracle" for product "Mysql Connectors"
<= 8.0.27
Search vendor "Oracle" for product "Mysql Connectors" and version " <= 8.0.27"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Enterprise Monitor
Search vendor "Oracle" for product "Mysql Enterprise Monitor"
<= 8.0.25
Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.25"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Server
Search vendor "Oracle" for product "Mysql Server"
>= 5.7.0 <= 5.7.35
Search vendor "Oracle" for product "Mysql Server" and version " >= 5.7.0 <= 5.7.35"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Server
Search vendor "Oracle" for product "Mysql Server"
>= 8.0.0 <= 8.0.26
Search vendor "Oracle" for product "Mysql Server" and version " >= 8.0.0 <= 8.0.26"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Workbench
Search vendor "Oracle" for product "Mysql Workbench"
<= 8.0.26
Search vendor "Oracle" for product "Mysql Workbench" and version " <= 8.0.26"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"
-
Affected
Oracle
Search vendor "Oracle"
Secure Backup
Search vendor "Oracle" for product "Secure Backup"
18.1.0.1.0
Search vendor "Oracle" for product "Secure Backup" and version "18.1.0.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Zfs Storage Appliance Kit
Search vendor "Oracle" for product "Zfs Storage Appliance Kit"
8.8
Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"
-
Affected
Siemens
Search vendor "Siemens"
Sinec Infrastructure Network Services
Search vendor "Siemens" for product "Sinec Infrastructure Network Services"
< 1.0.1.1
Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Console
Search vendor "Oracle" for product "Communications Cloud Native Core Console"
1.9.0
Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Security Edge Protection Proxy
Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"
1.7.0
Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Unified Data Repository
Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"
1.15.0
Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Session Border Controller
Search vendor "Oracle" for product "Communications Session Border Controller"
8.4
Search vendor "Oracle" for product "Communications Session Border Controller" and version "8.4"
-
Affected
Oracle
Search vendor "Oracle"
Communications Session Border Controller
Search vendor "Oracle" for product "Communications Session Border Controller"
9.0
Search vendor "Oracle" for product "Communications Session Border Controller" and version "9.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Unified Session Manager
Search vendor "Oracle" for product "Communications Unified Session Manager"
8.2.5
Search vendor "Oracle" for product "Communications Unified Session Manager" and version "8.2.5"
-
Affected
Oracle
Search vendor "Oracle"
Communications Unified Session Manager
Search vendor "Oracle" for product "Communications Unified Session Manager"
8.4.5
Search vendor "Oracle" for product "Communications Unified Session Manager" and version "8.4.5"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Communications Broker
Search vendor "Oracle" for product "Enterprise Communications Broker"
3.2.0
Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Communications Broker
Search vendor "Oracle" for product "Enterprise Communications Broker"
3.3.0
Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Session Border Controller
Search vendor "Oracle" for product "Enterprise Session Border Controller"
8.4
Search vendor "Oracle" for product "Enterprise Session Border Controller" and version "8.4"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Session Border Controller
Search vendor "Oracle" for product "Enterprise Session Border Controller"
9.0
Search vendor "Oracle" for product "Enterprise Session Border Controller" and version "9.0"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Inform Publisher
Search vendor "Oracle" for product "Health Sciences Inform Publisher"
6.2.1.0
Search vendor "Oracle" for product "Health Sciences Inform Publisher" and version "6.2.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Inform Publisher
Search vendor "Oracle" for product "Health Sciences Inform Publisher"
6.3.1.1
Search vendor "Oracle" for product "Health Sciences Inform Publisher" and version "6.3.1.1"
-
Affected
Oracle
Search vendor "Oracle"
Jd Edwards Enterpriseone Tools
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"
< 9.2.6.3
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.3"
-
Affected
Oracle
Search vendor "Oracle"
Jd Edwards World Security
Search vendor "Oracle" for product "Jd Edwards World Security"
a9.4
Search vendor "Oracle" for product "Jd Edwards World Security" and version "a9.4"
-
Affected