PAN-SA-2023-0001 Impact of OpenSSL Vulnerabilities Disclosed Feb 7, 2023
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the OpenSSL vulnerabilities that were disclosed on February 7, 2023 (CVE-2023-0286, CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401) as it relates to our products. At this time, there are no demonstrated scenarios that enable successful exploitation of these vulnerabilities in our products.
| CVE | Summary |
|---|---|
| CVE-2023-0286 | There is a type confusion vulnerability relating to X.400 address processinginside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING butthe public structure definition for GENERAL_NAME incorrectly specified the typeof the x400Address field as ASN1_TYPE. This field is subsequently interpreted bythe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than anASN1_STRING.When CRL checking is enabled (i.e. the application sets theX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to passarbitrary pointers to a memcmp call, enabling them to read memory contents orenact a denial of service. In most cases, the attack requires the attacker toprovide both the certificate chain and CRL, neither of which need to have avalid signature. If the attacker only controls one of these inputs, the otherinput must already contain an X.400 address as a CRL distribution point, whichis uncommon. As such, this vulnerability is most likely to only affectapplications which have implemented their own functionality for retrieving CRLsover a network. |
| CVE-2023-0215 | The public API function BIO_new_NDEF is a helper function used for streamingASN.1 data via a BIO. It is primarily used internally to OpenSSL to support theSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly byend user applications.The function receives a BIO from the caller, prepends a new BIO_f_asn1 filterBIO onto the front of it to form a BIO chain, and then returns the new head ofthe BIO chain to the caller. Under certain conditions, for example if a CMSrecipient public key is invalid, the new filter BIO is freed and the functionreturns a NULL result indicating a failure. However, in this case, the BIO chainis not properly cleaned up and the BIO passed by the caller still retainsinternal pointers to the previously freed filter BIO. If the caller then goes onto call BIO_pop() on the BIO then a use-after-free will occur. This will mostlikely result in a crash.This scenario occurs directly in the internal function B64_write_ASN1() whichmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() onthe BIO. This internal function is in turn called by the public API functionsPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.Other public API functions that may be impacted by this includei2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream andi2d_PKCS7_bio_stream.The OpenSSL cms and smime command line applications are similarly affected. |
| CVE-2022-4450 | The function PEM_read_bio_ex() reads a PEM file from a BIO and parses anddecodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.If the function succeeds then the "name_out", "header" and "data" arguments arepopulated with pointers to buffers containing the relevant decoded data. Thecaller is responsible for freeing those buffers. It is possible to construct aPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()will return a failure code but will populate the header argument with a pointerto a buffer that has already been freed. If the caller also frees this bufferthen a double free will occur. This will most likely lead to a crash. Thiscould be exploited by an attacker who has the ability to supply malicious PEMfiles for parsing to achieve a denial of service attack.The functions PEM_read_bio() and PEM_read() are simple wrappers aroundPEM_read_bio_ex() and therefore these functions are also directly affected.These functions are also called indirectly by a number of other OpenSSLfunctions including PEM_X509_INFO_read_bio_ex() andSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internaluses of these functions are not vulnerable because the caller does not free theheader argument if PEM_read_bio_ex() returns a failure code. These locationsinclude the PEM_read_bio_TYPE() functions as well as the decoders introduced inOpenSSL 3.0.The OpenSSL asn1parse command line application is also impacted by this issue. |
| CVE-2022-4304 | A timing based side channel exists in the OpenSSL RSA Decryption implementationwhich could be sufficient to recover a plaintext across a network in aBleichenbacher style attack. To achieve a successful decryption an attackerwould have to be able to send a very large number of trial messages fordecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,RSA-OEAP and RSASVE.For example, in a TLS connection, RSA is commonly used by a client to send anencrypted pre-master secret to the server. An attacker that had observed agenuine connection between a client and a server could use this flaw to sendtrial messages to the server and record the time taken to process them. After asufficiently large number of messages the attacker could recover the pre-mastersecret used for the original connection and thus be able to decrypt theapplication data sent over that connection. |
| CVE-2023-0401 | A NULL pointer can be dereferenced when signatures are beingverified on PKCS7 signed or signedAndEnveloped data. In case the hashalgorithm used for the signature is known to the OpenSSL library butthe implementation of the hash algorithm is not available the digestinitialization will fail. There is a missing check for the returnvalue from the initialization function which later leads to invalidusage of the digest API most likely leading to a crash.The unavailability of an algorithm can be caused by using FIPSenabled configuration of providers or more commonly by not loadingthe legacy provider.PKCS7 data is processed by the SMIME library calls and also by thetime stamp (TS) library calls. The TLS implementation in OpenSSL doesnot call these functions however third party applications would beaffected if they call these functions to verify signatures on untrusteddata. |
| CVE-2023-0217 | An invalid pointer dereference on read can be triggered when anapplication tries to check a malformed DSA public key by theEVP_PKEY_public_check() function. This will most likely leadto an application crash. This function can be called on publickeys supplied from untrusted sources which could allow an attackerto cause a denial of service attack.The TLS implementation in OpenSSL does not call this functionbut applications might call the function if there are additionalsecurity requirements imposed by standards such as FIPS 140-3. |
| CVE-2023-0216 | An invalid pointer dereference on read can be triggered when anapplication tries to load malformed PKCS7 data with thed2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.The result of the dereference is an application crash which couldlead to a denial of service attack. The TLS implementation in OpenSSLdoes not call this function however third party applications mightcall these functions on untrusted data. |
| CVE-2022-4203 | A read buffer overrun can be triggered in X.509 certificate verification,specifically in name constraint checking. Note that this occursafter certificate chain signature verification and requires either aCA to have signed the malicious certificate or for the application tocontinue certificate verification despite failure to construct a pathto a trusted issuer.The read buffer overrun might result in a crash which could lead toa denial of service attack. In theory it could also result in the disclosureof private memory contents (such as private keys, or sensitive plaintext)although we are not aware of any working exploit leading to memorycontents disclosure as of the time of release of this advisory.In a TLS client, this can be triggered by connecting to a maliciousserver. In a TLS server, this can be triggered if the server requestsclient authentication and a malicious client connects. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| AutoFocus | None | all |
| Bridgecrew | None | all |
| Cloud NGFW | None | all |
| Cortex Data Lake | None | all |
| Cortex XDR | None | all |
| Cortex XDR Agent | None | all |
| Cortex Xpanse | None | all |
| Cortex XSOAR | None | all |
| Enterprise Data Loss Prevention | None | all |
| Exact Data Matching CLI | None | all |
| Expanse | None | all |
| Expedition Migration Tool | None | all |
| GlobalProtect App | None | all |
| IoT Security | None | all |
| Okyo Garde | None | all |
| Palo Alto Networks App for Splunk | None | all |
| PAN-OS | None | all |
| Prisma Access | None | all |
| Prisma Cloud | None | all |
| Prisma Cloud Compute | None | all |
| Prisma SD-WAN (CloudGenix) | None | all |
| Prisma SD-WAN ION | None | all |
| SaaS Security | None | all |
| User-ID Agent | None | all |
| WildFire Appliance (WF-500) | None | all |
| WildFire Cloud | None | all |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.
Solution
Out of an abundance of caution, OpenSSL has been upgraded or patched in the following products to address the underlying code defects that result in these vulnerabilities:
For PAN-OS, these changes will be available in PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.
For GlobalProtect app, these changes will be available in GlobalProtect app 6.0.6 and later GlobalProtect app versions.
Timeline
Initial publication