Rust OpenSSL Crate Out-of-Bounds Read Vulnerability in X509VerifyParamRef::set_host

A buffer over-read vulnerability has been identified in the OpenSSL crate for Rust, affecting versions prior to 0.10.55. The issue arises in the X509VerifyParamRef::set_host function, where an empty string input leads to an out-of-bounds read. This occurs because the function improperly handles empty strings, causing a segmentation fault by reading arbitrary memory until a null byte is encountered.

Impact

Exploitation of this vulnerability causes a segmentation fault, terminating the process and dumping core. This behavior indicates a memory access violation, where the program reads memory that it should not have access to, potentially leading to arbitrary memory exposure.

Reproduction

The vulnerability can be reproduced by using the OpenSSL crate in a Rust project. After establishing a TCP connection to a server (such as 'google.com' on port 443), the TlsConnector is configured to disable Server Name Indication (SNI). When an empty string is passed as the hostname to the X509VerifyParamRef::set_host method, the application will experience a segmentation fault. This can be verified using Valgrind, which will log the invalid memory read that caused the crash.

Remediation

Users can upgrade to version 0.10.55 or later of the OpenSSL crate to address this vulnerability.