Bug 1219243 (CVE-2024-0727)

Summary: VUL-0: CVE-2024-0727: compat-openssl098,openssl,openssl-1_0_0,openssl-1_1,openssl-1_1-livepatches,openssl-3,openssl1: openssl: denial of service via null dereference
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392059/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-0727:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-26 16:12:16 UTC 
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0727
https://bugzilla.redhat.com/show_bug.cgi?id=2259944
https://www.cve.org/CVERecord?id=CVE-2024-0727
Comment 1 Marcus Meissner 2024-01-26 16:14:01 UTC 
https://www.openssl.org/news/secadv/20240125.txt

OpenSSL Security Advisory [25th January 2024]
=============================================

PKCS12 Decoding crashes (CVE-2024-0727)
=======================================

Severity: Low

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

OpenSSL 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.1 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.5 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.13 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1x once it is released
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zj once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit x (for 3.2),
commit x (for 3.1) and commit x (for 3.0) in the OpenSSL git
repository. It is available to premium support customers in commit
x (for 1.1.1) and in commit
x (for 1.0.2).

This issue was reported on 23rd November 2023 by Bahaa Naamneh (Crosspoint
Labs). The fix was developed by Matt Caswell.

General Advisory Notes
======================

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20240125.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.htm
Comment 2 Marcus Meissner 2024-01-26 16:18:43 UTC 
also affects 0.9.8 (code seems pretty much unchanged there)
Comment 4 OBSbugzilla Bot 2024-02-06 15:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1219243) was mentioned in
https://build.opensuse.org/request/show/1144625 Factory / openssl-3
Comment 7 Otto Hollmann 2024-02-08 08:34:31 UTC 
All affected codestreams fixed, assigning back to security team.

> Codestream              Package            Request
> --OpenSSL 3.x.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:GA      openssl-3          https://build.suse.de/request/show/320710
> SUSE:SLE-15-SP5:Update  openssl-3          https://build.suse.de/request/show/320531
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/320533
> SUSE:ALP:Source:Std:1.0 openssl-3          https://build.suse.de/request/show/320842
> openSUSE:Factory        openssl-3          https://build.opensuse.org/request/show/1144625
> --OpenSSL 1.1.x---------------------------------------------------------------------
> SUSE:SLE-15-SP6:GA      openssl-1_1        https://build.suse.de/request/show/320709
> SUSE:SLE-15-SP5:Update  openssl-1_1        https://build.suse.de/request/show/320534
> SUSE:SLE-15-SP4:Update  openssl-1_1        https://build.suse.de/request/show/320535
> SUSE:SLE-15-SP2:Update  openssl-1_1        https://build.suse.de/request/show/320536
> SUSE:SLE-15-SP1:Update  openssl-1_1        https://build.suse.de/request/show/320537
> SUSE:SLE-12-SP4:Update  openssl-1_1        https://build.suse.de/request/show/320538
> SUSE:ALP:Source:Std:1.0 openssl-1_1        https://build.suse.de/request/show/320843
> openSUSE:Factory        openssl-1_1        https://build.opensuse.org/request/show/1144566
> --OpenSSL 1.0.0---------------------------------------------------------------------
> SUSE:SLE-15:Update      openssl-1_0_0      https://build.suse.de/request/show/320539
> SUSE:SLE-12-SP4:Update  openssl-1_0_0      https://build.suse.de/request/show/320542
> SUSE:SLE-12-SP2:Update  openssl            https://build.suse.de/request/show/320543
> SUSE:SLE-11-SP3:Update  openssl1           https://build.suse.de/request/show/320544
> openSUSE:Factory        openssl-1_0_0      https://build.opensuse.org/request/show/1144563
> --OpenSSL 0.9.8---------------------------------------------------------------------
> SUSE:SLE-12:Update      compat-openssl098  https://build.suse.de/request/show/320545
> SUSE:SLE-11-SP1:Update  openssl            https://build.suse.de/request/show/320546
Comment 12 Maintenance Automation 2024-02-15 20:30:07 UTC 
SUSE-SU-2024:0518-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1218690, 1218810, 1219243
CVE References: CVE-2023-6129, CVE-2023-6237, CVE-2024-0727
Sources used:
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Manager Proxy 4.3 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Manager Retail Branch Server 4.3 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Manager Server 4.3 (src): openssl-3-3.0.8-150400.4.49.1
openSUSE Leap 15.4 (src): openssl-3-3.0.8-150400.4.49.1
openSUSE Leap Micro 5.3 (src): openssl-3-3.0.8-150400.4.49.1
openSUSE Leap Micro 5.4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise Micro 5.3 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise Micro 5.4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): openssl-3-3.0.8-150400.4.49.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): openssl-3-3.0.8-150400.4.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-02-20 20:36:34 UTC 
SUSE-SU-2024:0549-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
openSUSE Leap 15.5 (src): openssl-1_1-1.1.1l-150500.17.25.1
SUSE Linux Enterprise Micro 5.5 (src): openssl-1_1-1.1.1l-150500.17.25.1
Basesystem Module 15-SP5 (src): openssl-1_1-1.1.1l-150500.17.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-03-08 12:36:36 UTC 
SUSE-SU-2024:0815-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
openSUSE Leap 15.5 (src): openssl-3-3.0.8-150500.5.27.1
Basesystem Module 15-SP5 (src): openssl-3-3.0.8-150500.5.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-03-08 12:36:37 UTC 
SUSE-SU-2024:0814-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_0_0-1.0.2p-3.90.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_0_0-1.0.2p-3.90.1
SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_0_0-1.0.2p-3.90.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_0_0-1.0.2p-3.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-03-08 12:36:41 UTC 
SUSE-SU-2024:0813-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_1-1.1.1d-2.104.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_1-1.1.1d-2.104.1
SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_1-1.1.1d-2.104.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_1-1.1.1d-2.104.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-03-11 12:30:01 UTC 
SUSE-SU-2024:0833-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
SUSE Manager Server 4.3 (src): openssl-1_1-1.1.1l-150400.7.63.1
openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.63.1
openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.63.1
openSUSE Leap Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Manager Proxy 4.3 (src): openssl-1_1-1.1.1l-150400.7.63.1
SUSE Manager Retail Branch Server 4.3 (src): openssl-1_1-1.1.1l-150400.7.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-03-11 12:30:03 UTC 
SUSE-SU-2024:0832-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.85.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2024-03-11 12:30:07 UTC 
SUSE-SU-2024:0831-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
Legacy Module 15-SP5 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
SUSE Enterprise Storage 7.1 (src): openssl-1_0_0-1.0.2p-150000.3.91.1
openSUSE Leap 15.5 (src): openssl-1_0_0-1.0.2p-150000.3.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-03-12 12:54:18 UTC 
SUSE-SU-2024:0842-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl-0.9.8j-0.106.83.1
SUSE Linux Enterprise Server 11 SP4 (src): openssl-0.9.8j-0.106.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-03-12 12:54:19 UTC 
SUSE-SU-2024:0841-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl1-1.0.1g-0.58.79.1
SUSE Linux Enterprise Server 11 SP4 (src): openssl1-1.0.1g-0.58.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-03-12 12:54:22 UTC 
SUSE-SU-2024:0840-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219243
CVE References: CVE-2024-0727
Sources used:
Legacy Module 12 (src): compat-openssl098-0.9.8j-106.64.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): compat-openssl098-0.9.8j-106.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.