Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to OpenSSL 3.0.13 - tracking some minor OpenSSL 3.0.8 vulnerabilities #2639

Closed
fyodor opened this issue Apr 24, 2023 · 6 comments
Closed

Update to OpenSSL 3.0.13 - tracking some minor OpenSSL 3.0.8 vulnerabilities #2639

fyodor opened this issue Apr 24, 2023 · 6 comments
Labels
enhancement

Comments

@fyodor
Copy link
Member

fyodor commented Apr 24, 2023
edited

Update (March 11, 2024): Actually it look like we'll be able to get OpenSSL 3.0.13 into the Nmap release which is coming very soon.

UPDATE (Jan 25, 2024): Updated title to OpenSSL 3.0.12 since we're planning to upgrade to that version before the upcoming Nmap 7.95 release.

UPDATE (July 17, 2023): Nmap Version 7.94 was released on May 19, 2023 with the then-latest OpenSSL Version 3.08.
OpenSSL 3.0.9 was released on May 30, 2023 and will be included with the next Nmap release.

We're planning to include the newest OpenSSL version (3.0.8) in the upcoming Nmap release Windows and Mac builds unless an even newer version of OpenSSL is released by then. OpenSSL already has 4 CVE's issued against Version 3.0.8, but the OpenSSL team considers their severity to be so low that they aren't creating a special fixed release. Also Nmap itself isn't vulnerable to any of them. Our Ncat program could be affected if you use it with the non-default --ssl-verify option. We are tracking the issues here, and further information is available from the OpenSSL Security Vulnerabilities Page. Once OpenSSL puts out a a fixed 3.0.9 release, we plan to update our Nmap Windows and Mac builds and then include those with our next release. Then we'll close this issue.

  • CVE-2023-0464 - Excessive Resource Usage Verifying X.509 Policy Constraints

    • OpenSSL team reports that "A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this
      vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems." and "Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available."
    • Nmap is not affected because it doesn't do certificate validation. Ncat could possibly be affected if you use the --ssl-verify option.

  • CVE-2023-0465 - Invalid certificate policies in leaf certificates are silently ignored

    • OpenSSL team reports that "Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks." and "Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available."
    • Nmap is not affected because it doesn't do certificate validation. Ncat could possibly be affected if you use the --ssl-verify option.

  • CVE-2023-0466 - Certificate policy check not enabled

    • OpenSSL team reports that "The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification." and "Due to the low severity of this issue we are not creating a new release at this time."
    • Nmap is not affected because it doesn't do certificate validation. Ncat could possibly be affected if you use the --ssl-verify option.

  • CVE-2023-1255 - "input buffer over-read in AES-XTS implementation on 64 bit ARM

    • OpenSSL team reports: "The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash." and "Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available."
    • Nmap is not affected because it doesn't use the AES-XTS mode (which isn't used for SSL).

  • CVE-2023-2650 - "Possible DoS translating ASN.1 object identifiers"

    • OpenSSL team reports: "Processing some specially crafted ASN.1 object identifiers or
      data containing them may be very slow."
    • Nmap is not affected because we haven't enabled client authentication. Even if Nmap was affected, this would just slow the scan down a bit.
@guyharris
Copy link

Was this intended to be an Nmap issue rather than an Npcap issue?

@fyodor
Copy link
Member Author

fyodor commented Apr 24, 2023

Thanks @guyharris, you're right. I'll move it. Some days I just have Npcap on the brain :).

@fyodor fyodor transferred this issue from nmap/npcap Apr 24, 2023
@TheProdigyLeague

This comment was marked as off-topic.

Sign in to view
@fyodor
Copy link
Member Author

fyodor commented Jul 17, 2023

I've updated this issue to note that we included the then-latest OpenSSL 3.0.8 in the May 19 release of Nmap 7.94. Then OpenSSL 3.0.9 was released on May 30. I also just added CVE-2023-2650, which has also been fixed in 3.0.9. While none of these CVE's affect Nmap (generally since it doesn't use the features involved), we understand that users don't like to even have the "vulnerable" DLL's on their system. So we'll make sure to upgrade to 3.0.9 for the next release.

@fyodor fyodor changed the title Update to OpenSSL 3.0.9 when released - tracking some minor OpenSSL 3.0.8 vulnerabilities Update to OpenSSL 3.0.9 - tracking some minor OpenSSL 3.0.8 vulnerabilities Jul 18, 2023
@fyodor fyodor mentioned this issue Nov 27, 2023
Closed
@fyodor fyodor changed the title Update to OpenSSL 3.0.9 - tracking some minor OpenSSL 3.0.8 vulnerabilities Update to OpenSSL 3.0.12 - tracking some minor OpenSSL 3.0.8 vulnerabilities Jan 25, 2024
@acasadoual
Copy link

Now OpenSSL 3.0.13 CVE-2024-0727, CVE-2023-6237 and CVE-2023-6129

@fyodor fyodor changed the title Update to OpenSSL 3.0.12 - tracking some minor OpenSSL 3.0.8 vulnerabilities Update to OpenSSL 3.0.13 - tracking some minor OpenSSL 3.0.8 vulnerabilities Mar 11, 2024
@dmiller-nmap
Copy link

Resolved with Nmap 7.95.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fyodor @guyharris @dmiller-nmap @TheProdigyLeague @acasadoual