OpenSSL NULL pointer crashes? A remote attacker can kill your service with one malformed packet. Learn to check, patch, and block it on SUSE & any Linux distro. Includes a ready-to-use automation script and an iptables backup plan.
First disclosed in April 2026 – but this is just the latest reminder: OpenSSL’s CMS (Cryptographic Message Syntax) code has a long history of NULL pointer issues.
This particular flaw (CVE-2026-28390) allows a remote, unauthenticated attacker to crash any service that uses OpenSSL 1.1.1d to process a crafted CMS EnvelopedData message.
The result? Denial of service (DoS). Your web server, mail server, or VPN daemon stops – no error log, just a silent exit.
Because the vulnerable code pattern exists in many OpenSSL versions, this guide will stay useful for years. You will learn:
- How to check your own system (not just SUSE).
- A universal bash script to apply the fix across major distros.
- An immediate iptables workaround if you cannot patch right now.
- One affiliate resource that teaches you to audit crypto code yourself.
1. How to check if you are vulnerable (actual commands for SUSE & others)
The vulnerable library is libcrypto.so from OpenSSL 1.1.1 series. The specific SUSE products affected are:
On SUSE (zypper-based):
# Check your openssl-1_1 package version zypper info openssl-1_1 | grep Version # If version is 1.1.1d-2.128.1 or lower, you are vulnerable. # Also check if the patch is already applied: zypper patches | grep 2026-1549
On any Linux distro (Debian/Ubuntu/RHEL/Fedora)
# Find the OpenSSL version your running process uses ldd $(which nginx) | grep ssl # or for Apache: ldd $(which httpd) | grep ssl # Then query the library version openssl version -a
If openssl version shows 1.1.1d (or any 1.1.1 before 1.1.1e) – you are in the danger zone. But newer versions might still be vulnerable if backported patches are missing. Always check your distro’s CVE tracker.
Quick one-liner to test if your binary is affected (no false positives, just library presence):
strings $(ldconfig -p | grep libcrypto.so | head -1 | awk '{print $NF}') | grep "CMS_EnvelopedData" && echo "Potentially vulnerable library found"
2. Automation script to apply the fix (bash compatible with major distros)
Save this as fix-openssl-null.sh and run as root. It detects your distro, applies the official update, and restarts common services.
#!/bin/bash # fix-openssl-null.sh – Evergreen OpenSSL NULL pointer fix set -e echo "[*] Detecting distribution..." if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID fi case $OS in sles|suse|opensuse-leap) echo "[*] Updating openssl-1_1 on SUSE" zypper refresh zypper patch --cve=CVE-2026-28390 || zypper update openssl-1_1 ;; debian|ubuntu) echo "[*] Updating on Debian/Ubuntu" apt update apt install --only-upgrade openssl libssl1.1 ;; rhel|centos|fedora|rocky|almalinux) echo "[*] Updating on RHEL family" if command -v dnf &> /dev/null; then dnf update openssl else yum update openssl fi ;; *) echo "[!] Unsupported OS. Please update openssl manually." exit 1 ;; esac echo "[*] Restarting common services that use libcrypto" systemctl restart nginx httpd apache2 postfix dovecot sshd 2>/dev/null || true echo "[✓] Fix applied. Reboot recommended but not required."
Usage:
chmod +x fix-openssl-null.sh sudo ./fix-openssl-null.sh
3. Alternative mitigation if you can’t update now (iptables, AppArmor, proxy)
You cannot always restart production or install updates immediately. Here are three working mitigations.
A. Block malformed CMS packets with iptables (stateless)
The attack uses a specific pattern: a CMS EnvelopedData with KeyTransportRecipientInfo that triggers a NULL pointer. While you cannot filter by payload easily, you can rate-limit new TLS connections to reduce impact:
# Limit new TLS handshakes to 10 per second per client iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 10/second --limit-burst 20 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP
B. Use an AppArmor profile to kill only the offending process
Create /etc/apparmor.d/usr.sbin.nginx (example for nginx):
/usr/sbin/nginx {
# ... existing rules ...
deny /dev/mem rw,
# Crash instead of letting NULL pointer reach kernel panic
set rlimit core 0,
}
Then reload: apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
C. Put a reverse proxy in front (HAProxy or Nginx)
A proxy running a different OpenSSL version (or a patched one) will terminate the malicious TLS connection before it reaches your vulnerable backend. This is the safest workaround.
Example minimal HAProxy config (/etc/haproxy/haproxy.cfg):
frontend https-in
bind :443 ssl crt /etc/ssl/yourcert.pem
default_backend vulnerable_servers
backend vulnerable_servers
server app1 10.0.0.5:443 check ssl verify noneThen restart: systemctl restart haproxy
Recomended and Important Book
Secure Coding in C and C++ by Robert C. Seacord. - Amazon
This is the classic book on avoiding NULL pointer dereferences, buffer overflows, and integer overflows. Chapter 5 specifically covers “Pointer Subterfuge” with real OpenSSL vulnerabilities as examples.
Why this book solves the problem long-term: After reading it, you will be able to review OpenSSL patches yourself and assess if a “moderate” CVE is critical in your environment. That skill pays for itself after one missed patch.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).
Conclusion & Action
Do not wait for the next suse-2026-1549-1. Build a repeatable process:
- Run the check script now.
- If vulnerable, apply the automation script.
- If you cannot patch, deploy the iptables or proxy mitigation.
Nenhum comentário:
Postar um comentário