Wiz
Vulnerability DatabaseCVE-2021-3449

CVE-2021-3449
vulnerability analysis and mitigation

Overview

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension (where it was present in the initial ClientHello), but includes a signaturealgorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue (OpenSSL Advisory).

Technical details

The vulnerability occurs when processing a maliciously crafted TLSv1.2 renegotiation ClientHello message that omits the signaturealgorithms extension but includes a signaturealgorithms_cert extension, leading to a NULL pointer dereference. This vulnerability has been assigned a CVSS Base Score of 5.9 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

Impact

A successful exploitation of this vulnerability results in a crash of the OpenSSL TLS server, leading to a denial of service (DoS) attack. The vulnerability only affects server configurations with TLSv1.2 and renegotiation enabled, which is the default configuration (OpenSSL Advisory).

Mitigation and workarounds

The primary mitigation is to upgrade to OpenSSL version 1.1.1k which contains the fix for this vulnerability. For systems that cannot be immediately upgraded, workarounds include either turning off TLSv1.2 (as TLSv1.3 is unaffected) or turning off renegotiation on the TLS server (FreeBSD Advisory).

Community reactions

Multiple vendors and organizations have responded to this vulnerability by releasing security advisories and patches, including Cisco, NetApp, Red Hat, and Debian. The vulnerability has been widely acknowledged across the industry as requiring prompt attention, particularly due to its potential for denial of service attacks (Cisco Advisory).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo