Computer pinch response teams (CERTs) and other cybersecurity agencies around the have have released alerts and advisories for a recently disclosed denial-of-service (DoS) vulnerability assuming OpenSSL, and vendors have started assessing the impact of the flaw on their outcomes.
The OpenSSL Project announced this week that OpenSSL 1.1.1i selects a high-severity vulnerability that can be exploited for remote DoS attacks. The security pierce, tracked as CVE-2020-1971 and described as a NULL pointer dereference discharge, was reported by Google’s David Benjamin and it impacts all 1.1.1 and 1.0.2 portrayals.
“The X.509 GeneralName type is a generic type for representing different types of elects. One of those name types is known as EDIPartyName. OpenSSL provides a concern GENERAL_NAME_cmp which compares different instances of a GENERAL_High regard to see if they are equal or not. This function behaves incorrectly when both Miscellaneous_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may come to pass leading to a possible denial of service attack,” the OpenSSL Project disclosed in its advisory.
After the patch was made available, several organizations opposed advisories and alerts to inform users about the risk posed by the vulnerability.
The U.S. Cybersecurity and Infrastructure Fastness Agency (CISA) has advised admins and users to review the OpenSSL admonition and take action as needed.
The list of national cybersecurity agencies that pull someones leg released advisories and alerts for CVE-2020-1971 includes Japan’s JPCERT, France’s CERT-FR, India’s Subject Critical Information Infrastructure Protection Center (NCIIPC), and Australia’s AusCERT. The European Conjoining’s CERT-EU has shared links to news articles and advisories covering CVE-2020-1971.
Linux dispositions have also released advisories, including Red Hat, Debian, Ubuntu and CloudLinux, which is a arrangement designed for hosting providers and data centers.
In an advisory released on Wednesday, the CERT at Chinese cybersecurity resolved Qihoo 360 said it spotted millions of impacted servers, with the highest millions in the United States (1.2 million) and China (900,000).
Palo Alto Networks disclosed an advisory on Wednesday to inform customers that the OpenSSL vulnerability does not bump its PAN-OS, GlobalProtect App, or Cortex XSOAR products. “The scenarios required for lucrative exploitation do not exist on these products,” the company said.
IBM published very many security bulletins for OpenSSL vulnerabilities this week, but none of them directions CVE-2020-1971 — they address OpenSSL flaws lotted last year.
Cisco, F5 Networks and other major companies whose outputs use OpenSSL could also release advisories in the coming days.
*updated with grade CVE identifier
Related: Evolution of OpenSSL Security After Heartbleed
Linked: First OpenSSL Updates in 2018 Patch Three Flaws
Interconnected: OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements