CVE-2021-3449 NULL pointer deref in signature_algorithms processing
Summary (taken from OpenSSL public message on this CVE)
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).
Is LoadMaster vulnerable?
LoadMaster v7.2.44 or earlier is not impacted
LoadMaster v7.2.45 or later is impacted
Is Kemp 360 Central vulnerable?
Kemp 360 Central is still under investigation
Is Kemp 360 Vision vulnerable?
Kemp 360 Vision is still under investigation
Recommended Actions
Kemp is working on determining the best way to resolve this issue.
There are currently 2 alternative workarounds
- Disable SSL Renegotiation by unticking "Enable SSL Renegotiation" under Network Options.
- An alternative for LoadMaster v7.2.53 or later includes an option to revert to OpenSSL v1.0.2 which is not impacted by this issue.
For further information please reach out to the Kemp Support team.
Additional Information
For additional information about the discovered vulnerability:
CVE-2021-3449 (cve.mitre.org and NIST)
These pages also include the latest links to the security pages for the platform providers.
Kemp is committed to resolving security vulnerabilities carefully and quickly. If you think you have found a security flaw in a Kemp product, please send all supporting information to securityalert@kemp.ax.
Justin Benson
Are we ever getting a fix for this? We received notice of this flaw and have implemented the workaround since March 30, 2021. We would very much like to receive a permanent fix.