OpenSSL released a security advisory yesterday for CVE-2020-1971, a high severity vulnerability capable of crashing applications that use OpenSSL upon checking a maliciously crafted certificate. The issue lies within OpenSSL’s GENERAL_NAME_cmp function which is responsible for comparing different GENERAL_NAME fields to see if they are equal. One of the ways this comparison function is used is when OpenSSL validates a certificate’s revocation list (CRL) distribution point field. This field specifies where the certificate issuer publishes a list of revoked certificates. As a GENERAL_NAME field, it does not have to contain a URL, however. If an attacker were to create an SSL certificate using a EDIPARTYNAME to specify the CRL and a malicious CRL itself, they could cause the application to crash.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security