OpenSSL NULL Pointer Dereference Vulnerability in QUIC Protocol Handling

A NULL pointer dereference vulnerability has been identified in OpenSSL versions 3.6, 3.5, 3.4, and 3.3, within the SSL_CIPHER_find() function when used in a QUIC protocol client or server. The vulnerability occurs when an application receives an unknown or unsupported cipher suite from a peer, leading to an abnormal termination of the process and causing a denial-of-service condition. This issue was introduced in version 3.2 with the addition of QUIC support.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, leading to a crash and denial-of-service condition for the affected application.

Reproduction

The vulnerability can be reproduced by calling the SSL_CIPHER_find() function from the client_hello_cb callback in an application in the QUIC protocol context. If the function receives an unknown or unsupported cipher ID from the peer, a NULL pointer dereference will occur.

Remediation

Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.1, users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.5, users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.4, and users of OpenSSL 3.3 should upgrade to OpenSSL 3.3.6.