Severity Rating: MEDIUM
Software Affected
OpenSSL versions 1.1.1 and 1.0.2
Overview
A NULL pointer dereference vulnerability has been found in Open SSL which
may lead to a possible denial of service(DoS) attack on a server or client
application running OpenSSL.
Description
This vulnerability is due to a NULL pointer de-reference error. A remote
attacker can trigger denial of service conditions via the API functions viz
TS_RESP_verify_response and TS_RESP_verify_token. An attacker could exploit
this vulnerability by controlling both items being compared. For example if
the attacker can trick a client or server into checking a malicious
certificate against a malicious CRL then this may occur.
Successful exploitation of this vulnerability could allow the attacker to
perform a denial of service (DoS) attack.
Solution
Upgrade to OpenSSL version 1.1.1i
OpenSSL 1.0.2 and 1.1.0 are out of support and no longer receiving updates.
Users of these versions are recommended to upgrade to OpenSSL 1.1.1i.
Vendor Information
OpenSSL
References
OpenSSL
Security Tracker
CVE Name
CVE-2020-1971
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.