OpenSSL released a security advisory yesterday for CVE-2020-1971, a high severity vulnerability capable of crashing applications that use OpenSSL upon checking a maliciously crafted certificate. The issue lies within OpenSSL’s GENERAL_NAME_cmp function which is responsible for comparing different GENERAL_NAME fields to see if they are equal. One of the ways this comparison function is used is when OpenSSL validates a certificate’s revocation list (CRL) distribution point field. This field specifies where the certificate issuer publishes a list of revoked certificates. As a GENERAL_NAME field, it does not have to contain a URL, however. If an attacker were to create an SSL certificate using a EDIPARTYNAME to specify the CRL and a malicious CRL itself, they could cause the application to crash.
OpenSSL reports that all 1.0.2 and 1.1.1 versions are vulnerable to this bug. Users of either version are advised to upgrade to version 1.1.1i when possible. Version 1.0.2 is currently out of support, but customers with premium support can upgrade to version 1.0.2x. IT administrators should be on the lookout for software updates to web servers and other products that use OpenSSL and apply those updates soon after they are available.