Skip to main content

Use After Free

CVE-2023-0215

Severity High
Score 7.5/10

Summary

The public API function "BIO_new_NDEF" is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the "SMIME", "CMS" and "PKCS7" streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new "BIO_f_asn1" filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example, if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call "BIO_pop()" on the BIO, then a Use-After-Free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function "B64_write_ASN1()" which may cause "BIO_new_NDEF()" to be called and will subsequently call "BIO_pop()" on the BIO. This internal function is in turn called by the public API functions "PEM_write_bio_ASN1_stream", "PEM_write_bio_CMS_stream", "PEM_write_bio_PKCS7_stream", "SMIME_write_ASN1", "SMIME_write_CMS" and, "SMIME_write_PKCS7". Other public API functions that may be impacted by this include "i2d_ASN1_bio_stream", "BIO_new_CMS", "BIO_new_PKCS7", "i2d_CMS_bio_stream", and "i2d_PKCS7_bio_stream". The OpenSSL "CMS" and "SMIME" command line applications are similarly affected. This vulnerability affects OpenSSL versions . This vulnerability affects OpenSSL versions 1.0.2-beta1 through 1.0.2u, 1.1.1-pre1 through 1.1.1s, and 3.0.0-alpha1 through 3.0.7.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-416 - Use After Free

Use-after-free (UaF) vulnerability occurs when the application is using a pointer to memory that has been freed. Any attempt to read/write to a buffer after it is de-allocated allows memory corruption, sensitive information exposure, and can potentially lead to arbitrary code execution.

Advisory Timeline

  • Published