MNBSD-2022-3: OpenSSL BN_mod_sqrt() infinite loop when parsing crafted certificates

Severity: Unknown

Affected Package: openssl

Summary: OpenSSL BN_mod_sqrt() infinite loop when parsing crafted certificates

Description

The BN_mod_sqrt() function, which is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit curve parameters with a base point encoded in compressed form, could be tricked into an infinite loop by a certificate with invalid explicit curve parameters. Because certificate parsing can happen before signature verification, any process that parses externally supplied certificates may be subject to a denial of service.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2022-0778

Published: March 15, 2022
Last Modified: March 15, 2022