CVE-2023-0401
NULL dereference during PKCS7 data verification
A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.
We have discovered 19,072 live websites that are affected by CVE-2023-0401.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 30 |
| Vulnerable Domains | 19,072 live websites (1.75% of OpenSSL install base) |
Details
- Published - Feb 8, 2023
- Updated - Feb 24, 2023
Credits
- Hubert Kario (Red Hat) (reporter)
- Dmitry Belyavsky (Red Hat) (reporter)
- Tomáš Mráz (remediation developer)
CVE References
CWE References
Countries
 United States | 4,956 websites |
 Germany | 2,436 websites |
 France | 1,611 websites |
 Japan | 1,030 websites |
 GB | 864 websites |
 Finland | 803 websites |
 Czech Republic | 711 websites |
 Italy | 675 websites |
 Hungary | 521 websites |
 Canada | 473 websites |
TLDs
| .com | 5,688 websites |
| .de | 1,651 websites |
| .org | 1,053 websites |
| .edu | 962 websites |
| .net | 915 websites |
| .fr | 780 websites |
| .fi | 661 websites |
| .cz | 568 websites |
| .it | 496 websites |
| .co.uk | 489 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redReferences
- https://www.openssl.org/news/secadv/20230207.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674
- https://security.gentoo.org/glsa/202402-08
Websites affected by CVE-2023-0401
Top websites that are affected by CVE-2023-0401. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.org | United States | *,*** | |
| ***.******.org | United States | *,*** | |
| ****.******.org | United States | *,*** | |
| ****.org | United States | *,*** | |
| ***.****.org | United States | *,*** | |
| ***.net |  Singapore | *,*** | |
| ********.org | Germany | *,*** | |
| ********.edu | United States | **,*** | |
| **********.******.com | United States | **,*** | |
| ***.********.be |  Belgium | **,*** |