Openssl (>= 0.9.7, < 0.10.79) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/openssl--0.9.7--0.10.79/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000rust-openssl X509Ref::ocsp_responders Undefined Behavior Vulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-rust-openssl-x509ref-ocsp-responders-vulnerability/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rust-openssl-x509ref-ocsp-responders-vulnerability/The `X509Ref::ocsp_responders` function in rust-openssl versions 0.9.7 to 0.10.78 returns OCSP responder URLs from a certificate's AIA extension without proper UTF-8 validation, leading to undefined behavior when processing certificates with non-UTF-8 OCSP URLs.The rust-openssl crate, a popular binding for OpenSSL in Rust applications, is vulnerable to a critical flaw in its X509Ref::ocsp_responders function. This function retrieves OCSP responder URLs from the Authority Information Access (AIA) extension of X.509 certificates. The OpensslString type, used to represent these URLs, employs str::from_utf8_unchecked which doesn’t validate UTF-8 encoding. Consequently, when a certificate contains non-UTF-8 characters in its OCSP accessLocation, the function constructs a &str that violates the UTF-8 invariant, leading to undefined behavior, potentially causing crashes or memory corruption. This vulnerability affects rust-openssl versions 0.9.7 up to, but not including, 0.10.79. This poses a risk to applications that rely on rust-openssl for certificate validation and trust establishment.

Attack Chain

  1. An attacker crafts a malicious X.509 certificate with a non-UTF-8 encoded URL within the OCSP responder field of the AIA extension.
  2. A vulnerable application using rust-openssl processes the malicious certificate.
  3. The application calls X509Ref::ocsp_responders to extract the OCSP responder URLs.
  4. X509Ref::ocsp_responders returns the malformed URL as an OpensslString.
  5. The application attempts to use the OpensslString as a UTF-8 string via Deref<Target = str>.
  6. The str::from_utf8_unchecked function constructs a &str that violates the UTF-8 invariant.
  7. Subsequent operations on the invalid &str result in undefined behavior, such as memory corruption or program crashes.
  8. The application becomes unstable or crashes, potentially leading to denial of service or other unexpected consequences.

Impact

Successful exploitation of this vulnerability can lead to undefined behavior in applications that rely on rust-openssl for certificate validation, potentially resulting in denial-of-service conditions or other unexpected program behavior. While the scope of impact depends on how the application handles certificate processing, any application using rust-openssl versions 0.9.7 to 0.10.78 is potentially vulnerable when handling untrusted certificates. The lack of UTF-8 validation makes applications susceptible to maliciously crafted certificates.

Recommendation

  • Upgrade to rust-openssl version 0.10.79 or later to remediate CVE-2026-42327.
  • Implement certificate validation routines that explicitly check for valid UTF-8 encoding in OCSP responder URLs before further processing.
  • Deploy the Sigma rule “Detect rust-openssl OCSP Responder URL Non-UTF-8” to identify potentially vulnerable processes.
  • Monitor application logs for crashes or unexpected behavior when processing certificates, which might indicate exploitation of this vulnerability.
]]>highadvisoryvulnerabilityrustopensslcertificate