AWS-LC CRL Distribution Point Validation Logic Error Vulnerability

A logic error has been identified in AWS-LC versions 1.24.0 prior to 1.71.0 and in AWS-LC-FIPS versions 3.0.0 prior to 3.3.0. This vulnerability affects the validation of Certificate Revocation Lists (CRLs) in X.509 certificate verification. When CRL checking is enabled, partitioned CRLs with Issuing Distribution Point (IDP) extensions can incorrectly reject revoked certificates as out of scope, allowing them to bypass revocation checks. Applications not using CRL checking or those relying on complete, non-partitioned CRLs without IDP extensions are not affected.

Impact

Exploiting this vulnerability allows revoked certificates to be incorrectly validated as active, bypassing essential revocation checks and potentially leading to the acceptance of compromised certificates in security-sensitive applications.

Remediation

Users should upgrade to AWS-LC version 1.71.0, AWS-LC-FIPS version 3.3.0, aws-lc-sys version 0.39.0, or aws-lc-fips-sys version 0.13.13. For applications using forked or derivative code, ensure to incorporate these updates. Instructions for downloading the latest version are available on the AWS-LC GitHub release page.