CVE-2023-0217 in OpenSSLinfo

Summary

by MITRE • 02/08/2023

An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack.

The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/05/2025

This vulnerability represents a critical denial of service risk within OpenSSL's cryptographic processing capabilities. The issue manifests as an invalid pointer dereference when the EVP_PKEY_public_check() function attempts to validate malformed DSA public keys. This specific flaw occurs during the verification process where applications encounter improperly formatted public key data that triggers memory access violations. The vulnerability is particularly concerning because it can be exploited through untrusted input sources, making it a potential vector for remote attackers to disrupt service availability. The technical nature of this flaw places it squarely within the realm of memory safety issues that have been extensively documented in cybersecurity literature, with similar vulnerabilities often classified under CWE-476 which addresses NULL pointer dereferences.

The operational impact of CVE-2023-0217 extends beyond simple application crashes to potentially compromise entire service availability within systems that rely on OpenSSL for cryptographic operations. When applications call EVP_PKEY_public_check() function as part of compliance requirements such as FIPS 140-3 certification processes, they become vulnerable to this specific attack vector. The vulnerability affects any application that implements additional security checks beyond OpenSSL's standard TLS implementation, which typically does not invoke this particular function. This creates a scenario where organizations implementing strict compliance measures may inadvertently expose themselves to denial of service attacks through legitimate security validation processes. The attack requires minimal prerequisites as it only necessitates providing malformed DSA public key data to trigger the vulnerable code path.

Security professionals should recognize this vulnerability as a potential entry point for attackers seeking to disrupt services through resource exhaustion or application instability. The flaw aligns with ATT&CK technique T1499 which covers network denial of service attacks, particularly when combined with the ability to trigger crashes through malformed input. Organizations implementing FIPS 140-3 compliance requirements must carefully evaluate their use of EVP_PKEY_public_check() functions, as this represents a specific weakness in the validation logic that could be exploited by adversaries. The vulnerability demonstrates how security compliance measures, while intended to enhance protection, can sometimes introduce new attack surfaces if not properly implemented or if they contain implementation flaws. The memory safety issue stems from insufficient input validation during public key parsing operations, where the code assumes valid pointer references without proper bounds checking or null validation.

Mitigation strategies should focus on both immediate patching and architectural considerations for applications that utilize the vulnerable function. The most effective immediate solution involves upgrading to OpenSSL versions that contain the fix for this specific pointer dereference issue. Organizations should also implement input sanitization measures that validate public key data before passing it to cryptographic validation functions, effectively preventing malformed data from reaching the vulnerable code path. Additionally, application developers should consider implementing defensive programming techniques such as proper error handling and memory validation checks when processing untrusted cryptographic inputs. The vulnerability highlights the importance of thorough code review processes for cryptographic libraries and demonstrates how seemingly benign validation functions can become attack vectors when proper input sanitization is not implemented. Security monitoring should include detection of application crashes or abnormal termination patterns that could indicate exploitation attempts, particularly in systems where FIPS compliance requirements mandate the use of EVP_PKEY_public_check() functions.

Reservation

01/11/2023

Disclosure

02/08/2023

Moderation

accepted

CPE

ready

EPSS

0.01846

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!