LiveActive security incident?Get immediate response
CVE Record

CVE-2020-1971: EDIPARTYNAME NULL pointer dereference

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

MediumCVSS 5.9Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2020-1971 can crash applications using affected OpenSSL versions when they compare specially crafted certificate-related name data. The business impact is availability, not data theft. The issue matters most for systems that process untrusted certificates, automatically fetch CRLs, or verify timestamp tokens.

Executive priority

Treat as a moderate availability risk. It is not marked as actively exploited in the provided sources, but OpenSSL is widely embedded, so remediation should be included in normal security patch cycles and accelerated for certificate-processing infrastructure.

Technical view

OpenSSL GENERAL_NAME_cmp incorrectly handles EDIPARTYNAME values, allowing a NULL pointer dereference when two controlled GENERAL_NAME objects are compared. OpenSSL uses this during CRL distribution point matching and timestamp response verification. Affected ranges are OpenSSL 1.1.1 through 1.1.1h and 1.0.2 through 1.0.2w.

Likely exposure

Exposure is likely where servers, clients, appliances, or bundled products run affected OpenSSL and process attacker-influenced certificates plus CRLs, especially with automatic CRL download behavior. Products using OpenSSL only for ordinary TLS may still need inventory review, but exploitability depends on application behavior.

Exploitation context

The source bundle does not show CISA KEV listing or confirmed active exploitation. OpenSSL says the attack was demonstrated against its s_server, s_client, and verify tools using automatic CRL download, but the condition requires attacker control of both compared inputs.

Researcher notes

The key constraint is attacker control of both compared GENERAL_NAME inputs. Signature verification happens after the vulnerable CRL matching path, so malformed inputs may trigger before trust validation. Evidence supports denial of service only; no confidentiality or integrity impact is described.

Mitigation direction

  • Upgrade OpenSSL 1.1.1 deployments to 1.1.1i or later.
  • Upgrade OpenSSL 1.0.2 deployments to 1.0.2x or vendor-supported backports.
  • Apply distribution advisories from Debian, FreeBSD, Fedora, Gentoo, or your vendor.
  • Prioritize systems that fetch CRLs or verify timestamp response tokens.
  • If patching is blocked, check vendor guidance for temporary controls.

Validation and detection

  • Inventory OpenSSL versions across hosts, containers, appliances, and bundled applications.
  • Flag OpenSSL 1.1.1 through 1.1.1h and 1.0.2 through 1.0.2w.
  • Identify applications using automatic CRL downloads or timestamp verification APIs.
  • Confirm patched package versions from operating system vendor advisories.
  • Review crash telemetry for certificate or CRL processing failures.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-476: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-1971 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.9 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
26Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.9CVSS 3.1MediumCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H2.23.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

5.9Medium
CVSS 3.1 vector shape for CVE-2020-1971Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
OpenSSLOpenSSLFixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h), Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w)Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-476 · source CWE mapping

NULL Pointer Dereference

NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.