CVE-2021-3449 - NULL Pointer Dereference

Severity

59%

Complexity

22%

Confidentiality

60%

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

CVSS 3.1 Base Score 5.9. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P).

Demo Examples

NULL Pointer Dereference

CWE-476

While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.


               
}
/* make use of pointer1 *//* ... */

If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

NULL Pointer Dereference

CWE-476

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.


               
}
strcpy(hostname, hp->h_name);/*routine that ensures user_supplied_addr is in the right format for conversion */

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference would then occur in the call to strcpy().

Note that this example is also vulnerable to a buffer overflow (see CWE-119).

NULL Pointer Dereference

CWE-476

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.


               
cmd = cmd.trim();

NULL Pointer Dereference

CWE-476

This application has registered to handle a URL when sent an intent:


               
}......
}
}
int length = URL.length();
...

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Overview

First reported 4 years ago

2021-03-25 15:15:00

Last updated 3 years ago

2021-10-20 11:17:00

Affected Software

OpenSSL Project OpenSSL

NetApp ONTAP Select Deploy Administration Utility

NetApp Active IQ Unified Manager for VMware vSphere

vmware_vsphere

Debian Linux 9.0

9.0

Oracle MySQL Connectors

Oracle PeopleSoft Enterprise PeopleTools 8.57

8.57

Oracle PeopleSoft Enterprise PeopleTools 8.58

8.58

Siemens SIMATIC Logon 1.5 Service Pack 3 Update 1

1.5

References

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148

20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021

DSA-4875

https://www.openssl.org/news/secadv/20210325.txt

https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc

https://security.netapp.com/advisory/ntap-20210326-0006/

[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

Mailing List, Third Party Advisory

[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

Mailing List, Third Party Advisory

[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

Mailing List, Third Party Advisory

[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

Mailing List, Third Party Advisory

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148

Mailing List, Patch, Vendor Advisory

https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc

Third Party Advisory

GLSA-202103-03

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210326-0006/

Third Party Advisory

20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021

Third Party Advisory

DSA-4875

Third Party Advisory

https://www.openssl.org/news/secadv/20210325.txt

Vendor Advisory

FEDORA-2021-cbf14ab8f9

https://www.tenable.com/security/tns-2021-05

https://www.tenable.com/security/tns-2021-06

https://kc.mcafee.com/corporate/index?page=content&id=SB10356

https://www.tenable.com/security/tns-2021-06

Third Party Advisory

https://www.tenable.com/security/tns-2021-05

Third Party Advisory

FEDORA-2021-cbf14ab8f9

Mailing List, Third Party Advisory

https://kc.mcafee.com/corporate/index?page=content&id=SB10356

Third Party Advisory

https://www.tenable.com/security/tns-2021-09

https://security.netapp.com/advisory/ntap-20210513-0002/

https://www.tenable.com/security/tns-2021-10

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.tenable.com/security/tns-2021-09

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210513-0002/

Third Party Advisory

https://www.tenable.com/security/tns-2021-10

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch, Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013

N/A

[debian-lts-announce] 20210831 [SECURITY] [DLA 2751-1] postgresql-9.6 security update

https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf

Patch, Third Party Advisory

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845

Third Party Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013

Third Party Advisory

N/A

Patch, Third Party Advisory

[debian-lts-announce] 20210831 [SECURITY] [DLA 2751-1] postgresql-9.6 security update

Mailing List, Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.