Cyber Resilience

CVE-2023-0286

High

Published: 08 February 2023

Published
08 February 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.8833 99.5th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0286 is a high-severity Type Confusion (CWE-843) vulnerability in Stormshield Stormshield Network Security. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-0286 is a type confusion vulnerability in X.509 certificate processing that affects OpenSSL and LibreSSL. It stems from incorrect ASN.1 handling of X.400 addresses within the GENERAL_NAME structure: the x400Address field is defined as ASN1_TYPE in the public header but is actually parsed as an ASN1_STRING, causing the GENERAL_NAME_cmp function to misinterpret the data when comparing names.

An attacker who can supply both a certificate chain and a CRL can exploit the flaw when an application enables CRL checking via the X509_V_FLAG_CRL_CHECK flag. By presenting a malicious X.400 address, the attacker can supply arbitrary pointers to an internal memcmp call, resulting in either disclosure of memory contents or a denial of service. The attack does not require valid signatures on the supplied chain or CRL in most cases, although it is primarily relevant to applications that implement their own network-based CRL retrieval rather than relying on local files.

Patches addressing the issue are available in OpenSSL (commits 2c6c9d439b, 2f7530077e, and fd2af07dc0) and LibreSSL 3.6.2, which correct the type definition and comparison logic for the affected field. The associated EPSS score has remained near its peak of 0.89 since disclosure.

EU & UK References

Vulnerability details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This…

more

field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
1.0.2 — 1.0.2zg · 1.1.1 — 1.1.1t · 3.0.0 — 3.0.8
stormshield
stormshield management center
≤ 3.3.3
stormshield
stormshield network security
2.7.0 — 2.7.11 · 2.8.0 — 3.7.34 · 3.8.0 — 3.11.22

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References