CVE-2021-3712

Read buffer overruns processing ASN.1 strings

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

Las cadenas ASN.1 se representan internamente en OpenSSL como una estructura ASN1_STRING que contiene un búfer que contiene los datos de la cadena y un campo que contiene la longitud del búfer. Esto contrasta con las cadenas C normales, que se representan como un búfer para los datos de la cadena que termina con un byte NUL (0). Aunque no es un requisito estricto, las cadenas ASN.1 que se analizan usando las propias funciones "d2i" de OpenSSL (y otras funciones de análisis similares), así como cualquier cadena cuyo valor ha sido ajustado con la función ASN1_STRING_set(), terminarán adicionalmente con NUL la matriz de bytes en la estructura ASN1_STRING. Sin embargo, es posible que las aplicaciones construyan directamente estructuras ASN1_STRING válidas que no terminen en NUL la matriz de bytes, ajustando directamente los campos "data" y "length" en la matriz ASN1_STRING. Esto también puede ocurrir usando la función ASN1_STRING_set0(). Se ha detectado que numerosas funciones de OpenSSL que imprimen datos ASN.1 asumen que la matriz de bytes ASN1_STRING estará terminada en NUL, aunque esto no está garantizado para las cadenas que han sido construidas directamente. Cuando una aplicación pide que se imprima una estructura ASN.1, y cuando esa estructura ASN.1 contiene ASN1_STRINGs que han sido construidos directamente por la aplicación sin terminar en NUL el campo "data", entonces puede ocurrir un desbordamiento del buffer de lectura. Lo mismo puede ocurrir durante el procesamiento de las restricciones de nombre de los certificados (por ejemplo, si un certificado ha sido construido directamente por la aplicación en lugar de cargarlo por medio de las funciones de análisis de OpenSSL, y el certificado contiene estructuras ASN1_STRING sin terminación NUL). También puede ocurrir en las funciones X509_get1_email(), X509_REQ_get1_email() y X509_get1_ocsp(). Si un actor malicioso puede hacer que una aplicación construya directamente un ASN1_STRING y luego lo procese a mediante una de las funciones de OpenSSL afectadas, este problema podría ser alcanzado. Esto podría resultar en un bloqueo (causando un ataque de Denegación de Servicio). También podría resultar en la revelación de contenidos de memoria privada (como claves privadas, o texto plano confidencial). Corregido en OpenSSL versión 1.1.1l (Afectada 1.1.1-1.1.1k). Corregido en OpenSSL versión 1.0.2za (Afectada 1.0.2-1.0.2y).

It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability.

*Credits: Ingo Schwarze

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-08-16 CVE Reserved
2021-08-24 CVE Published
2024-07-30 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (23)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/08/26/2	Mailing List
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
https://kc.mcafee.com/corporate/index?page=content&id=SB10366	Third Party Advisory
https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html	Mailing List
https://security.netapp.com/advisory/ntap-20210827-0010	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006
https://www.oracle.com/security-alerts/cpujan2022.html	Third Party Advisory
https://www.tenable.com/security/tns-2021-16	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf	2024-06-21
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	2024-06-21
https://www.oracle.com/security-alerts/cpuapr2022.html	2024-06-21
https://www.oracle.com/security-alerts/cpuoct2021.html	2024-06-21
https://www.tenable.com/security/tns-2022-02	2024-06-21

URL	Date	SRC
https://security.gentoo.org/glsa/202209-02	2024-06-21
https://security.gentoo.org/glsa/202210-02	2024-06-21
https://www.debian.org/security/2021/dsa-4963	2024-06-21
https://www.openssl.org/news/secadv/20210824.txt	2024-06-21
https://access.redhat.com/security/cve/CVE-2021-3712	2022-01-11
https://bugzilla.redhat.com/show_bug.cgi?id=1995634	2022-01-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.0.2 < 1.0.2za Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2za"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.1.1 < 1.1.1l Search vendor "Openssl" for product "Openssl" and version " >= 1.1.1 < 1.1.1l"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Antivirus Connector Search vendor "Netapp" for product "Clustered Data Ontap Antivirus Connector"				-		-		Affected
Netapp Search vendor "Netapp"		E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller"				>= 11.0 <= 11.50.2 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.50.2"		-		Affected
Netapp Search vendor "Netapp"		Hci Management Node Search vendor "Netapp" for product "Hci Management Node"				-		-		Affected
Netapp Search vendor "Netapp"		Manageability Software Development Kit Search vendor "Netapp" for product "Manageability Software Development Kit"				-		-		Affected
Netapp Search vendor "Netapp"		Santricity Smi-s Provider Search vendor "Netapp" for product "Santricity Smi-s Provider"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire Search vendor "Netapp" for product "Solidfire"				-		-		Affected
Netapp Search vendor "Netapp"		Storage Encryption Search vendor "Netapp" for product "Storage Encryption"				-		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				< 5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version " < 5.10.0"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		-		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_1		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_10		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_2		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_3		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_4		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_5		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_6		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_7		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_8		Affected
Mcafee Search vendor "Mcafee"		Epolicy Orchestrator Search vendor "Mcafee" for product "Epolicy Orchestrator"				5.10.0 Search vendor "Mcafee" for product "Epolicy Orchestrator" and version "5.10.0"		update_9		Affected
Tenable Search vendor "Tenable"		Nessus Network Monitor Search vendor "Tenable" for product "Nessus Network Monitor"				< 6.0.0 Search vendor "Tenable" for product "Nessus Network Monitor" and version " < 6.0.0"		-		Affected
Tenable Search vendor "Tenable"		Tenable.sc Search vendor "Tenable" for product "Tenable.sc"				>= 5.16.0 <= 5.19.1 Search vendor "Tenable" for product "Tenable.sc" and version " >= 5.16.0 <= 5.19.1"		-		Affected
Oracle Search vendor "Oracle"		Essbase Search vendor "Oracle" for product "Essbase"				< 11.1.2.4.047 Search vendor "Oracle" for product "Essbase" and version " < 11.1.2.4.047"		-		Affected
Oracle Search vendor "Oracle"		Essbase Search vendor "Oracle" for product "Essbase"				>= 21.0 < 21.3 Search vendor "Oracle" for product "Essbase" and version " >= 21.0 < 21.3"		-		Affected
Oracle Search vendor "Oracle"		Essbase Search vendor "Oracle" for product "Essbase"				21.3 Search vendor "Oracle" for product "Essbase" and version "21.3"		-		Affected
Oracle Search vendor "Oracle"		Mysql Connectors Search vendor "Oracle" for product "Mysql Connectors"				<= 8.0.27 Search vendor "Oracle" for product "Mysql Connectors" and version " <= 8.0.27"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.25 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.25"		-		Affected
Oracle Search vendor "Oracle"		Mysql Server Search vendor "Oracle" for product "Mysql Server"				>= 5.7.0 <= 5.7.35 Search vendor "Oracle" for product "Mysql Server" and version " >= 5.7.0 <= 5.7.35"		-		Affected
Oracle Search vendor "Oracle"		Mysql Server Search vendor "Oracle" for product "Mysql Server"				>= 8.0.0 <= 8.0.26 Search vendor "Oracle" for product "Mysql Server" and version " >= 8.0.0 <= 8.0.26"		-		Affected
Oracle Search vendor "Oracle"		Mysql Workbench Search vendor "Oracle" for product "Mysql Workbench"				<= 8.0.26 Search vendor "Oracle" for product "Mysql Workbench" and version " <= 8.0.26"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Oracle Search vendor "Oracle"		Secure Backup Search vendor "Oracle" for product "Secure Backup"				18.1.0.1.0 Search vendor "Oracle" for product "Secure Backup" and version "18.1.0.1.0"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"		-		Affected
Siemens Search vendor "Siemens"		Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services"				< 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				1.7.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Border Controller Search vendor "Oracle" for product "Communications Session Border Controller"				8.4 Search vendor "Oracle" for product "Communications Session Border Controller" and version "8.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Border Controller Search vendor "Oracle" for product "Communications Session Border Controller"				9.0 Search vendor "Oracle" for product "Communications Session Border Controller" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Session Manager Search vendor "Oracle" for product "Communications Unified Session Manager"				8.2.5 Search vendor "Oracle" for product "Communications Unified Session Manager" and version "8.2.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Session Manager Search vendor "Oracle" for product "Communications Unified Session Manager"				8.4.5 Search vendor "Oracle" for product "Communications Unified Session Manager" and version "8.4.5"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker"				3.2.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.2.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Communications Broker Search vendor "Oracle" for product "Enterprise Communications Broker"				3.3.0 Search vendor "Oracle" for product "Enterprise Communications Broker" and version "3.3.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Session Border Controller Search vendor "Oracle" for product "Enterprise Session Border Controller"				8.4 Search vendor "Oracle" for product "Enterprise Session Border Controller" and version "8.4"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Session Border Controller Search vendor "Oracle" for product "Enterprise Session Border Controller"				9.0 Search vendor "Oracle" for product "Enterprise Session Border Controller" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Inform Publisher Search vendor "Oracle" for product "Health Sciences Inform Publisher"				6.2.1.0 Search vendor "Oracle" for product "Health Sciences Inform Publisher" and version "6.2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Inform Publisher Search vendor "Oracle" for product "Health Sciences Inform Publisher"				6.3.1.1 Search vendor "Oracle" for product "Health Sciences Inform Publisher" and version "6.3.1.1"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				< 9.2.6.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.3"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards World Security Search vendor "Oracle" for product "Jd Edwards World Security"				a9.4 Search vendor "Oracle" for product "Jd Edwards World Security" and version "a9.4"		-		Affected