New Infinite Loop Bug in OpenSSL May Allow Attackers Crash Remote Servers
Reading Time: 2 minutes

According to OpenSSL maintainers, the new Infinite Loop Bug might allow attackers to crash remote servers. Patches for the vulnerability have been released for the high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates.

The vulnerability has been tracked as CVE-2022-0778 and given a CVSS score of 7.5. It steams parsing a malformed certificate with invalid explicit elliptic-curve parameters. This results in an “infinite loop” and resides in the BN_mod_sqrt() function used to compute the modular square root.

In an advisory published on March 15, 2022, OpenSSL said, “Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters.”

There is no proof of the vulnerability exploited in the wild, though it can be weaponized in certain scenarios. This includes when TLS clients (or servers) access a rogue certificate from a malicious server (or client), or when certificate authorities parse certification requests from subscribers.

OpenSSL versions 1.0.2, 1.1.1, and 3.0 are impacted by the vulnerability. While the project owners have addressed the flaw with the release of versions 1.0.2zd (for premium support customers). Though  1.1.1n, and 3.0.2. OpenSSL 1.1.0 is also affected, it won’t receive a fix as it has reached end-of-life.

Google Project Zero security researcher Tavis Ormandy had been credited for reporting the flaw on February 24, 2022. While the fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL.

Another OpenSSL vulnerability CVE-2022-0778 has also been resolved at the start of the year. While the moderate-severity flaw CVE-2021-4160 with a CVSS score of 5.9 that affected the library’s MIPS32 and MIPS64 squaring procedure has also been fixed. 

Related Articles:
Gaming Company Ubisoft Hacked
Ukrainian Hacker having links with REvil ransomware group Extradited to United States
Hackers Abuse Mitel Devices to Amplify DDoS Attacks by 4 Billion Times