CVE-2023-53159

Vulnerability

Overview

The openssl crate for Rust, versions prior to 0.10.55, contains an out-of-bounds read vulnerability in the X509VerifyParamRef::set_host function. When this function is passed an empty string, the underlying OpenSSL library calls strlen on a pointer that points to an empty (zero-length) buffer. Because strlen expects a NUL-terminated string and no NUL byte is present in an allocated empty String, the function reads arbitrary memory until it happens to encounter a NUL byte, leading to a buffer over-read [1][4].

Exploitation

Conditions

The vulnerability can be triggered by any code that calls set_host with an empty String (e.g., String::from("")). The issue is reproducible with both native_tls and direct openssl crate usage. No authentication or special network access is required; the attacker only needs to control the hostname parameter passed to the function [2]. A public proof-of-concept demonstrates that passing an empty string causes a segmentation fault due to an invalid read of size 1 at int_x509_param_set_hosts [2].

Impact

A successful exploit results in an out-of-bounds read, which can cause the application to crash (segmentation fault) or, in some circumstances, leak sensitive memory contents if the read crosses into other data regions. This can lead to denial of service or information disclosure, depending on what memory is scanned before a NUL byte is reached [4].

Mitigation

Users should upgrade to openssl crate version 0.10.55 or later, which contains a fix that properly handles empty host strings by adding a length check before calling into the OpenSSL C library [1]. The vulnerability is also addressed in native_tls when it uses the patched version of openssl. The RustSec advisory (RUSTSEC-2023-0044) lists the affected versions as <0.10.55 [4].