OpenSSL NULL Pointer Dereference Vulnerability in Certificate Verification with OCSP Checking

A NULL pointer dereference vulnerability has been identified in OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0. This vulnerability occurs when partial-chain certificate verification is enabled alongside OCSP response checking for the entire chain. If the verified chain lacks a self-signed trusted anchor, the absence of this anchor leads to a NULL dereference, causing a process crash. The issue arises because, during OCSP response checking, the code attempts to access the next certificate as the issuer. With partial chain verification enabled and no self-signed trusted anchor, the last certificate's issuer becomes NULL, resulting in a dereference error.

Impact

Exploitation of this vulnerability causes a process crash, leading to a denial-of-service condition for the affected application.

Reproduction

To reproduce this vulnerability, enable both OCSP response checking for the entire certificate chain and partial-chain verification. This can be done by setting the appropriate flags in the certificate verification process. Once both flags are active, use a certificate chain that does not include a self-signed trusted anchor. The absence of the trusted anchor will cause the last certificate in the chain to have a NULL issuer, triggering the NULL pointer dereference.

Remediation

Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1. Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.21.