CVE-2022-0727: 
NixOS vulnerability analysis and mitigation

CVE-2024-0727 is a security vulnerability affecting OpenSSL's PKCS12 file processing functionality. The vulnerability was discovered by Bahaa Naamneh from Crosspoint Labs and was disclosed on January 25, 2024. It affects multiple versions of OpenSSL including versions 3.2.0 before 3.2.1, 3.1.0 before 3.1.5, 3.0.0 before 3.0.13, 1.1.1 before 1.1.1x, and 1.0.2 before 1.0.2zj (OpenSSL Advisory).

The vulnerability stems from OpenSSL's improper handling of NULL fields in PKCS12 format files. While the PKCS12 specification allows certain fields to be NULL, OpenSSL fails to properly check for this condition. This oversight can lead to NULL pointer dereferences when processing maliciously crafted PKCS12 files. The vulnerable OpenSSL APIs include PKCS12parse(), PKCS12unpackp7data(), PKCS12unpackp7encdata(), PKCS12unpackauthsafes() and PKCS12newpass() (OpenSSL Advisory).

When exploited, this vulnerability can cause OpenSSL to crash, potentially leading to a Denial of Service (DoS) condition. Applications that process PKCS12 files from untrusted sources using the affected OpenSSL APIs are vulnerable to this issue. The vulnerability is rated as Low severity due to its limited impact scope (OpenSSL Advisory).

The issue has been fixed in OpenSSL versions 3.2.1, 3.1.5, 3.0.13, 1.1.1x, and 1.0.2zj. Users are advised to upgrade to these patched versions to protect against this vulnerability. It's worth noting that the FIPS modules in OpenSSL versions 3.2, 3.1, and 3.0 are not affected by this issue (OpenSSL Advisory).