OpenSSL NULL Pointer Dereference Vulnerability When Processing Delta CRLs

A NULL pointer dereference vulnerability has been identified in OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0. This issue occurs during the processing of delta Certificate Revocation Lists (CRLs) that contain a Delta CRL Indicator extension, but lack the required CRL Number extension. The absence of the CRL Number extension can lead to a crash, causing a Denial of Service for applications that process the malformed delta CRL. This vulnerability arises because the delta CRL processing does not verify the presence of the CRL Number extension before dereferencing it, allowing a crafted delta CRL to cause a NULL pointer dereference. Exploitation requires the X509_V_FLAG_USE_DELTAS flag to be enabled, the certificate to include a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it.

Impact

Exploiting this vulnerability can cause a NULL pointer dereference, leading to a crash and a Denial of Service for the affected application.

Reproduction

To reproduce this vulnerability, enable CRL processing and delta CRL processing during X.509 certificate verification. Ensure that the certificate being verified contains a freshestCRL extension or that the base CRL has the EXFLAG_FRESHEST flag set. Then, provide a malformed delta CRL that lacks the necessary CRL Number extension to an application that processes CRLs.

Remediation

Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.2. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.6. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.5. Users of OpenSSL 3.3 should upgrade to OpenSSL 3.3.7. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.20.