CVE-2023-0464

Excessive Resource Usage Verifying X.509 Policy Constraints

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

A security vulnerability has been identified in all supported OpenSSL versions related to verifying X.509 certificate chains that include policy constraints. This flaw allows attackers to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial of service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or calling the X509_VERIFY_PARAM_set1_policies()' function.

*Credits: David Benjamin (Google), Dr Paul Dale

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-01-24 CVE Reserved
2023-03-22 CVE Published
2024-08-02 CVE Updated
2024-11-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation
CWE-400: Uncontrolled Resource Consumption

CAPEC

References (12)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
https://security.gentoo.org/glsa/202402-08
https://security.netapp.com/advisory/ntap-20240621-0006
https://www.couchbase.com/alerts
https://www.debian.org/security/2023/dsa-5417

URL	Date	SRC

URL	Date	SRC
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545	2024-06-21
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e	2024-06-21
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b	2024-06-21
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1	2024-06-21

URL	Date	SRC
https://www.openssl.org/news/secadv/20230322.txt	2024-06-21
https://access.redhat.com/security/cve/CVE-2023-0464	2023-12-07
https://bugzilla.redhat.com/show_bug.cgi?id=2181082	2023-12-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.0.2 < 1.0.2zh Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2zh"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.1.1 < 1.1.1u Search vendor "Openssl" for product "Openssl" and version " >= 1.1.1 < 1.1.1u"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 3.0.0 < 3.0.9 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 < 3.0.9"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 3.1.0 < 3.1.1 Search vendor "Openssl" for product "Openssl" and version " >= 3.1.0 < 3.1.1"		-		Affected