OpenSSL Type Confusion Vulnerability in TimeStamp Response Verification Allows Denial-of-Service

A type confusion vulnerability has been identified in OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.0, and 1.1.1, excluding 1.0.2. The issue arises in the TimeStamp Response verification process, where an ASN1_TYPE union member is accessed without proper type validation. This oversight can lead to an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file, causing a crash and resulting in a denial-of-service condition for the application.

Impact

Exploiting this vulnerability causes a NULL pointer dereference, leading to a crash and a denial-of-service condition for the application processing the affected TimeStamp Response.

Reproduction

To reproduce this vulnerability, an attacker must provide a malformed TimeStamp Response file to an application that verifies timestamp responses using the TS_RESP_verify_response() function. The vulnerability is triggered when the verification process encounters the unvalidated ASN1_TYPE union member, leading to a dereference of an invalid or NULL pointer.

Remediation

Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.1, those on OpenSSL 3.5 should upgrade to OpenSSL 3.5.5, and users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.4.