NULL dereference during PKCS7 data verification

Vulnerability

Overview

CVE-2023-0401 is a NULL pointer dereference vulnerability in OpenSSL's handling of PKCS7 signed or signedAndEnveloped data. When verifying a PKCS7 signature, the library initializes the digest for the hash algorithm specified in the signature. If the hash algorithm's name is recognized but its implementation is not loaded (e.g., due to a FIPS-only configuration or failure to load the legacy provider), the digest initialization function returns an error. However, the code does not check this return value, leading to a subsequent call to the digest API with a NULL pointer, which typically results in a crash [1][2].

Exploitation

An attacker can exploit this by crafting a PKCS7 message that uses a hash algorithm known to OpenSSL but whose implementation is unavailable. The vulnerability is reachable through any application that calls OpenSSL's PKCS7 verification functions, such as those in the SMIME or Time Stamp (TS) libraries. The TLS implementation itself does not use these functions, but third-party applications that verify signatures on untrusted data (e.g., email clients, signature verification tools) are affected. The attack does not require authentication, as the PKCS7 data can be supplied externally [2][3].

Impact

Successful exploitation leads to a denial of service (DoS) via application crash. The vulnerability does not appear to allow arbitrary code execution or memory corruption beyond the immediate crash; the advisory and NVD description only indicate a crash [1][2]. The severity was rated High (CVSS v3.1 7.5) due to the network attack vector and low complexity, though the impact is limited to availability.

Mitigation

OpenSSL 3.0 users should upgrade to version 3.0.8, which includes the fix. For OpenSSL 1.1.1 and 1.0.2, the issue is present but no patch has been released for 1.1.1 (as of this advisory); however, the main advisory only lists fixes for 3.0.8 and 1.1.1t (the latter addresses other issues). Users of the openssl-src Rust crate are patched in version 300.0.12 and later [3][4]. The recommended mitigation is to ensure the legacy provider is loaded when needed, but the safest approach is to apply the vendor patch.