CVE-2023-2650
Published: 30 May 2023
Summary
CVE-2023-2650 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openssl Openssl. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-2650 is a denial-of-service vulnerability in OpenSSL stemming from quadratic time complexity in OBJ_obj2txt() when translating specially crafted ASN.1 OBJECT IDENTIFIERs containing extremely large sub-identifiers. It affects OpenSSL 3.0 and later in the OCSP, PKCS7/SMIME, CMS, CMP/CRMF, and TS subsystems, as well as any code paths that process X.509 certificates or invoke OBJ_obj2txt() directly on untrusted data; earlier versions are impacted only for display purposes and rated low severity. The issue arises because sub-identifiers have no inherent size limit and can reach tens or hundreds of kilobytes, leading to prolonged processing delays.
An unauthenticated remote attacker can supply a malicious ASN.1 structure, such as a crafted certificate chain, OCSP response, CMS message, or other protocol element containing an oversized OBJECT IDENTIFIER, causing the target application to consume excessive CPU time and potentially become unresponsive. The attack requires no authentication or user interaction beyond delivery of the malformed data, though TLS exposure remains limited by OpenSSL's 100 KiB certificate-chain cap and the fact that only clients or servers with client authentication enabled are affected.
Publicly available patches, referenced in the OpenSSL git commits and oss-security advisory, address the quadratic behavior in OBJ_obj2txt() and related algorithm-identifier handling. The current EPSS score of 0.9174 with a peak of 0.9213 indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34116
Vulnerability details
Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message…
more
size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.