CVE-2023-35784 Overview
A critical memory corruption vulnerability has been identified in OpenBSD and LibreSSL involving a double free or use after free condition that can occur after calling the SSL_clear function. This vulnerability affects OpenBSD 7.2 before errata 026, OpenBSD 7.3 before errata 004, and LibreSSL versions before 3.6.3 and 3.7.x before 3.7.3. Importantly, OpenSSL is not affected by this vulnerability.
Critical Impact
This double free/use after free vulnerability in SSL/TLS implementations can be exploited remotely without authentication, potentially leading to arbitrary code execution, denial of service, or information disclosure on affected systems.
Affected Products
- OpenBSD 7.2 (before errata 026)
- OpenBSD 7.3 (before errata 004)
- LibreSSL before 3.6.3
- LibreSSL 3.7.x before 3.7.3
Discovery Timeline
- 2023-06-16 - CVE-2023-35784 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-35784
Vulnerability Analysis
This vulnerability represents a classic memory safety issue in the SSL_clear function within OpenBSD's SSL/TLS implementation. When SSL_clear is called to reset an SSL connection structure for reuse, the function fails to properly invalidate certain internal pointers after freeing associated memory. This creates a dangerous condition where subsequent operations may reference freed memory (use after free) or attempt to free the same memory region twice (double free).
The vulnerability is particularly concerning because SSL/TLS libraries are foundational security components used for encrypted communications. Memory corruption in these libraries can undermine the security guarantees they provide and potentially allow attackers to execute arbitrary code in the context of the vulnerable application.
Root Cause
The root cause of CVE-2023-35784 lies in improper pointer management within the s3_lib.c source file. When memory is freed during the SSL connection reset process, the corresponding pointers are not set to NULL or otherwise invalidated. This violates secure coding practices for memory management in C and creates exploitable conditions where stale pointers remain accessible.
The GitHub LibreSSL Commit Update shows the fix involved adding missing pointer invalidation after freeing memory, ensuring that subsequent accesses would fail safely rather than referencing freed memory.
Attack Vector
This vulnerability can be exploited remotely over the network without requiring authentication or user interaction. An attacker could potentially craft malicious SSL/TLS traffic designed to trigger the vulnerable code path in SSL_clear, causing the double free or use after free condition. Successful exploitation could result in:
- Remote Code Execution: Memory corruption could be leveraged to execute arbitrary code
- Denial of Service: Crashing the application through memory corruption
- Information Disclosure: Reading sensitive data from freed memory regions
-/* $OpenBSD: s3_lib.c,v 1.242 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.243 2023/05/16 14:10:43 jcs Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
Source: GitHub LibreSSL Commit Update
Detection Methods for CVE-2023-35784
Indicators of Compromise
- Unexpected application crashes or segmentation faults in processes using LibreSSL or OpenBSD SSL libraries
- Memory corruption errors in system logs related to SSL/TLS operations
- Abnormal SSL/TLS connection patterns with repeated connection resets
- Core dumps indicating double free or heap corruption in SSL library components
Detection Strategies
- Monitor for process crashes in applications utilizing LibreSSL, particularly those handling high volumes of SSL/TLS connections
- Deploy memory sanitizers (ASan, MSan) in development and staging environments to detect use after free conditions
- Implement network monitoring for anomalous SSL/TLS handshake patterns that may indicate exploitation attempts
- Audit system logs for SSL-related errors that could indicate memory corruption events
Monitoring Recommendations
- Configure centralized logging to capture SSL library error messages and crash reports
- Implement real-time alerting for application crashes in SSL-enabled services
- Monitor for unusual network traffic patterns on SSL/TLS ports (443, 8443, etc.)
- Track LibreSSL and OpenBSD version information across your infrastructure to identify vulnerable systems
How to Mitigate CVE-2023-35784
Immediate Actions Required
- Inventory all systems running OpenBSD 7.2, OpenBSD 7.3, or LibreSSL to identify vulnerable deployments
- Apply the relevant errata patches immediately: errata 026 for OpenBSD 7.2 and errata 004 for OpenBSD 7.3
- Upgrade LibreSSL to version 3.6.3 or later (or 3.7.3 for the 3.7.x branch)
- Restart all services and applications that use the patched SSL libraries to ensure the fix is active
Patch Information
OpenBSD has released official patches to address this vulnerability. The patches add proper pointer invalidation after memory is freed, preventing the double free and use after free conditions. The following resources provide the official fixes:
- OpenBSD 7.2 SSL Patch Signature - Patch for OpenBSD 7.2
- OpenBSD 7.3 SSL Patch Signature - Patch for OpenBSD 7.3
- OpenBSD LibreSSL 3.6.3 Release Notes - LibreSSL 3.6.3 release
- OpenBSD LibreSSL 3.7.3 Release Notes - LibreSSL 3.7.3 release
Workarounds
- If immediate patching is not possible, consider temporarily disabling or restricting access to services that heavily utilize SSL connection reuse
- Implement network segmentation to limit exposure of vulnerable systems to untrusted networks
- Deploy Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) to detect and block potential exploitation attempts
- Monitor affected systems closely for signs of exploitation while preparing for patch deployment
# OpenBSD 7.2 - Apply errata 026
cd /usr/src
signify -Vep /etc/signify/openbsd-72-base.pub -x 026_ssl.patch.sig -m - | patch -p0
# OpenBSD 7.3 - Apply errata 004
cd /usr/src
signify -Vep /etc/signify/openbsd-73-base.pub -x 004_ssl.patch.sig -m - | patch -p0
# Rebuild and install the SSL library
cd /usr/src/lib/libssl
make obj && make && make install
# Restart affected services
rcctl restart httpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
