{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/openssl--0.9.7--0.10.79/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openssl (\u003e= 0.9.7, \u003c 0.10.79)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rust","openssl","certificate"],"_cs_type":"advisory","_cs_vendors":["OpenSSL"],"content_html":"\u003cp\u003eThe rust-openssl crate, a popular binding for OpenSSL in Rust applications, is vulnerable to a critical flaw in its \u003ccode\u003eX509Ref::ocsp_responders\u003c/code\u003e function. This function retrieves OCSP responder URLs from the Authority Information Access (AIA) extension of X.509 certificates. The \u003ccode\u003eOpensslString\u003c/code\u003e type, used to represent these URLs, employs \u003ccode\u003estr::from_utf8_unchecked\u003c/code\u003e which doesn\u0026rsquo;t validate UTF-8 encoding. Consequently, when a certificate contains non-UTF-8 characters in its OCSP accessLocation, the function constructs a \u003ccode\u003e\u0026amp;str\u003c/code\u003e that violates the UTF-8 invariant, leading to undefined behavior, potentially causing crashes or memory corruption. This vulnerability affects rust-openssl versions 0.9.7 up to, but not including, 0.10.79. This poses a risk to applications that rely on rust-openssl for certificate validation and trust establishment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious X.509 certificate with a non-UTF-8 encoded URL within the OCSP responder field of the AIA extension.\u003c/li\u003e\n\u003cli\u003eA vulnerable application using rust-openssl processes the malicious certificate.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eX509Ref::ocsp_responders\u003c/code\u003e to extract the OCSP responder URLs.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eX509Ref::ocsp_responders\u003c/code\u003e returns the malformed URL as an \u003ccode\u003eOpensslString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application attempts to use the \u003ccode\u003eOpensslString\u003c/code\u003e as a UTF-8 string via \u003ccode\u003eDeref\u0026lt;Target = str\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estr::from_utf8_unchecked\u003c/code\u003e function constructs a \u003ccode\u003e\u0026amp;str\u003c/code\u003e that violates the UTF-8 invariant.\u003c/li\u003e\n\u003cli\u003eSubsequent operations on the invalid \u003ccode\u003e\u0026amp;str\u003c/code\u003e result in undefined behavior, such as memory corruption or program crashes.\u003c/li\u003e\n\u003cli\u003eThe application becomes unstable or crashes, potentially leading to denial of service or other unexpected consequences.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to undefined behavior in applications that rely on rust-openssl for certificate validation, potentially resulting in denial-of-service conditions or other unexpected program behavior. While the scope of impact depends on how the application handles certificate processing, any application using rust-openssl versions 0.9.7 to 0.10.78 is potentially vulnerable when handling untrusted certificates. The lack of UTF-8 validation makes applications susceptible to maliciously crafted certificates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to rust-openssl version 0.10.79 or later to remediate CVE-2026-42327.\u003c/li\u003e\n\u003cli\u003eImplement certificate validation routines that explicitly check for valid UTF-8 encoding in OCSP responder URLs before further processing.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect rust-openssl OCSP Responder URL Non-UTF-8\u0026rdquo; to identify potentially vulnerable processes.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for crashes or unexpected behavior when processing certificates, which might indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rust-openssl-x509ref-ocsp-responders-vulnerability/","summary":"The `X509Ref::ocsp_responders` function in rust-openssl versions 0.9.7 to 0.10.78 returns OCSP responder URLs from a certificate's AIA extension without proper UTF-8 validation, leading to undefined behavior when processing certificates with non-UTF-8 OCSP URLs.","title":"rust-openssl X509Ref::ocsp_responders Undefined Behavior Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-rust-openssl-x509ref-ocsp-responders-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed — Openssl (\u003e= 0.9.7, \u003c 0.10.79)","version":"https://jsonfeed.org/version/1.1"}