HistoryEdit

RUSTSEC-2022-0027

OCSP_basic_verify may incorrectly verify the response signing certificate

Issued
Package
openssl-src (crates.io)
Type
Vulnerability
Categories
Aliases
Details
https://www.openssl.org/news/secadv/20220503.txt
CVSS Score
5.3 MEDIUM
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Patched
  • >=300.0.6
Unaffected
  • <300.0

Description

The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.

It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0.