GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

Static analyzer proves its worth with discovery of null-pointer error

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.

Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by sending specially crafted messages while setting up a TLS 1.3 connection.

This means it's possible to disrupt or knock offline HTTPS websites that use a vulnerable version of the crypto library, by sending a prod-of-death. It can also be used by rogue servers to crash web browsers and other apps connecting in.

OpenSSL is a software library widely used to provide encrypted connections across networks and the internet. Here's the technical description from the OpenSSL maintainers of the flaw:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

The programming blunder is fixed in the OpenSSL 1.1.1.g release: versions 1.1.1d, 1.1.1e, and 1.1.1f are affected. Users with buggy versions installed are advised to upgrade as soon as possible. Developers shipping the library should update their packages and push them to users to install. Matt Caswell and Benjamin Kaduk are credited for performing further analysis of the bug prior to its disclosure this week.

While the flaw is an irritation – it's not remote-code execution but it can potentially hose servers and apps – programmers may be more interested in how it was uncovered. Edlinger credits the discovery of the bug to GCC 10's brand new static analysis feature. Edlinger ran that tool over the OpenSSL source, and the flaw was revealed in diagnostic output.

The static analysis feature was introduced as a way to check C code for common exploitable programming gaffes during build time, before any binaries are shipped to users. It can catch things like double free() calls, use-after-free() calls, memory leaks, and so on. C++ support is said to be in the works.

Last month, Red Hat toolchain developer David Malcolm, who worked on the feature, said the aim was to help developers iron out potentially exploitable vulnerabilities in their code prior to release.

"My thinking here is that it’s best to catch problems as early as possible as the code is written, using the compiler the code is written in as part of the compile-edit-debug cycle, rather than having static analysis as an extra tool 'on the side' (perhaps proprietary)," he explained in a technical memo that details the analyzer's features.

"Hence, it seems worthwhile to have a static analyzer built into the compiler that can see exactly the same code as the compiler sees — because it is the compiler."

That the analyzer tool, accessed through the -fanalyzer command-line option, has already been shown to be capable of catching serious errors in deployed code will be a nice vote of confidence in the feature.

"My hope is that the analyzer provides a decent amount of extra checking while not being too expensive," Malcolm said earlier. "I’ve aimed for -fanalyzer to 'merely' double the compile time as a reasonable trade-off for the extra checks."

For what it's worth, other toolchains, such as Clang-LLVM, feature static analysis, though it's good to see it built into GCC, which is used to compile a huge number of things, not least the Linux kernel. That means hopefully a good number of security bugs out there will be discovered and squashed as more programmers migrate to GCC 10 and take the analyzer out for a spin (preferably ahead of miscreants using the feature to develop exploit code for nefarious purposes.)

The analyzer is available from the master branch of the GCC 10 source code. It's hoped the feature will be finalized in time for version 10's official release, due this month or next. The current latest version is 9.3. ®

Narrower topics

Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting - and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India’s Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a “technical glitch” that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading

Biting the hand that feeds IT © 1998–2022