CVE-2021-3449 Overview
CVE-2021-3449 is a NULL pointer dereference vulnerability in OpenSSL that affects TLS servers running with TLSv1.2 and renegotiation enabled. An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Specifically, if a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension, a NULL pointer dereference occurs, leading to a crash and denial of service condition.
This vulnerability is particularly significant because the vulnerable configuration—TLSv1.2 with renegotiation enabled—is the default configuration for affected OpenSSL versions. OpenSSL TLS clients are not impacted by this issue. The vulnerability affects all OpenSSL 1.1.1 versions from 1.1.1 through 1.1.1j, and users should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted.
Critical Impact
Network-accessible TLS servers using vulnerable OpenSSL versions can be crashed remotely by malicious clients, causing service disruption without requiring authentication.
Affected Products
- OpenSSL 1.1.1 through 1.1.1j
- Node.js (multiple versions using affected OpenSSL)
- Debian Linux 9.0 and 10.0
- FreeBSD 12.2 (including patch levels p1 and p2)
- NetApp Active IQ Unified Manager, SnapCenter, StorageGrid, and related products
- Tenable Nessus, Nessus Network Monitor, and Tenable.sc
- Oracle MySQL Server, MySQL Connectors, MySQL Workbench, and GraalVM
- Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINEC product families
- Check Point Quantum Security Gateway and Management products
- SonicWall SMA100 and SonicOS products
- McAfee Web Gateway and Web Gateway Cloud Service
Discovery Timeline
- 2021-03-25 - CVE-2021-3449 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3449
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The flaw exists in how OpenSSL handles TLS renegotiation when specific combinations of extensions are present or absent in ClientHello messages.
During TLS 1.2 renegotiation, the server expects consistency in the extensions provided by the client. When an initial ClientHello contains the signature_algorithms extension and a subsequent renegotiation ClientHello omits this extension while including signature_algorithms_cert, the server code attempts to access a NULL pointer, resulting in an immediate crash.
The attack can be executed over the network without any authentication, though it does require successful TLS handshake initiation. The primary impact is availability—no confidentiality or integrity compromise occurs, but the service becomes unavailable until restarted.
Root Cause
The root cause lies in improper handling of the extension parsing logic during TLS renegotiation. The OpenSSL code assumed that if signature_algorithms_cert was present, then signature_algorithms would also be present (as it was in the initial handshake). When the renegotiation ClientHello violates this assumption by removing the signature_algorithms extension, the code dereferences a NULL pointer when processing the signature algorithms.
The fix, implemented in commit fb9fa6b51defd48157eeb207f52181f735d96148, adds proper NULL checks before accessing the signature algorithms data structure during renegotiation processing.
Attack Vector
The attack requires network access to a TLS server running a vulnerable OpenSSL version. The attacker must:
- Initiate a TLS 1.2 connection with the signature_algorithms extension present in the initial ClientHello
- Request renegotiation with a crafted ClientHello that includes signature_algorithms_cert but omits signature_algorithms
- The server processes this malformed renegotiation request and crashes due to the NULL pointer dereference
The attack vector is network-based and requires no privileges or user interaction. The vulnerability manifests when OpenSSL attempts to process the inconsistent extension state between the initial handshake and the renegotiation attempt. The server validates extension presence inconsistently, leading to the crash condition when the pointer to the signature algorithms structure is dereferenced without a NULL check. For detailed technical information, see the OpenSSL Security Advisory.
Detection Methods for CVE-2021-3449
Indicators of Compromise
- Unexpected TLS server process crashes or restarts without clear cause
- Core dumps or crash logs showing NULL pointer dereference in OpenSSL TLS handling functions
- High frequency of TLS connection attempts followed by renegotiation requests from single sources
- Network traffic patterns showing repeated ClientHello messages with inconsistent extension combinations
Detection Strategies
- Monitor TLS server process stability and implement automatic restart detection with alerting
- Analyze TLS handshake patterns using network intrusion detection systems for anomalous renegotiation requests
- Deploy deep packet inspection rules to identify ClientHello messages with mismatched extension combinations
- Implement application-level logging to capture TLS handshake extension details for forensic analysis
Monitoring Recommendations
- Configure process monitoring for OpenSSL-dependent services to detect abnormal termination
- Enable crash dump collection and analysis for rapid root cause identification
- Monitor network traffic for unusual patterns of TLS connections from single IP addresses
- Set up alerting for TLS connection failure rate anomalies that may indicate ongoing attack attempts
How to Mitigate CVE-2021-3449
Immediate Actions Required
- Upgrade OpenSSL to version 1.1.1k or later immediately on all affected systems
- If immediate patching is not possible, disable TLS renegotiation as a temporary mitigation
- Inventory all systems using OpenSSL 1.1.1 through 1.1.1j to identify vulnerable deployments
- Prioritize internet-facing TLS servers for immediate remediation
Patch Information
The vulnerability is fixed in OpenSSL 1.1.1k. Users should upgrade to this version or later. OpenSSL 1.0.2 is not affected by this vulnerability. Multiple vendors have released patches for products that bundle OpenSSL, including:
- OpenSSL Security Advisory - Official patch announcement
- Oracle CPU April 2021 - Oracle product patches
- Siemens Security Advisory SSA-772220 - Siemens product updates
- Debian Security Advisory DSA-4875 - Debian package updates
Workarounds
- Disable TLS renegotiation on servers where upgrading is not immediately possible using SSL_OP_NO_RENEGOTIATION option
- Implement rate limiting on TLS connections to reduce the impact of potential DoS attempts
- Deploy Web Application Firewalls or TLS-aware load balancers that can filter malformed handshakes
- Consider temporarily restricting TLS server access to trusted client IP ranges if feasible
# Check OpenSSL version on Linux systems
openssl version
# Example: Disable renegotiation in nginx configuration
# Add to ssl server block:
# ssl_protocols TLSv1.2 TLSv1.3;
# Note: TLSv1.3 does not support renegotiation
# Update OpenSSL on Debian/Ubuntu
sudo apt update && sudo apt upgrade openssl
# Update OpenSSL on RHEL/CentOS
sudo yum update openssl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
