DoS vulnerability in OpenSSL

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2020-035 CVE-2020-1971 12/07/2020 low v1

Vulnerability details

A vulnerability in OpenSSL could allow an attacker to initaite DoS using a malformed field in a CRL. The attacker shall be a SNS administrator or an administrator of an external trusted CA.

Impacted products

ProductsSeverityDetail
Stormshield Network Security low SNS is impacted
Netasq low Netasq is not impacted

Revisions

Version Date Description
v1  12/18/2020 Initial release
v2  03/01/2021 Update “Solution” section

 



Stormshield Network Security

CVSS v2 Overall Score: 3.9      

Analysis

Impacted version

The vulnerability could allow an attacker to remotely initiate a DoS on : SSL Proxy, SSL VPN, IPSec VPN, Certificate authentication.

The attacker shall be a SNS administrator or an administrator of an external trusted CA.

  • SNS 2.0.0 to 2.7.7
  • SNS 3.0.0 to 3.7.14
  • SNS 3.8.0 to 3.11.2
  • SNS 4.0.0 to 4.1.2

Workaround solution

Solution

-Audit administrators actions and CRL accesses on the SNS.

The vulnerability is fixed in versions:

  • SNS 2.7.8
  • SNS 3.7.15
  • SNS 3.11.3
  • SNS 4.1.3

 



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Network High None None None Partial
CVSS Base score: 2.6 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 1.9 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
Medium-High Medium [26-75%]
CVSS Environmental score: 3.9 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)


Netasq

CVSS v2 Overall Score: 3.9      

Analysis

Impacted version

The vulnerability could allow an atacker to remotely crash OpenSSL on the SNS.

  • Netasq 9.0.9 to 9.1.10

Workaround solution

Solution

-Audit your CRL registered on the SNS and keep them on restricted write access

No solution



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Network High None None None Partial
CVSS Base score: 2.6 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 1.9 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
Medium-High Medium [26-75%]
CVSS Environmental score: 3.9 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)