CVE-2023-0215 is a use-after-free vulnerability in OpenSSL affecting versions 3.0.0, 1.1.1, and 1.0.2. The flaw exists in the public API function BIO_new_NDEF, which is used to create a BIO chain for streaming ASN.1 data, primarily supporting SMIME, CMS, and PKCS7 streaming. The function prepends a new ASN.1 filter BIO to an existing BIO chain and returns the new head. Under certain error conditions, such as when a CMS recipient public key is invalid, the newly created filter BIO is freed and the function returns NULL to indicate failure. However, the original BIO chain passed by the caller is not properly cleaned up and retains dangling pointers to the freed BIO filter. If the caller subsequently calls BIO_pop() on this BIO, a use-after-free occurs, likely causing a crash. This vulnerability manifests internally in the B64_write_ASN1() function, which calls BIO_new_NDEF() and then BIO_pop(). Several public API functions that perform ASN.1 streaming operations, including PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS, and SMIME_write_PKCS7, are impacted. Additional affected functions include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream, and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line tools are also vulnerable. The vulnerability is classified as CWE-416 (Use After Free) and has a CVSS v3.1 base score of 7.5 (high severity), with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (causing crashes). No known exploits are currently reported in the wild. No patches are linked in the provided data, so mitigation likely requires updating OpenSSL to a fixed version once available or applying vendor advisories.

For European organizations, this vulnerability poses a risk primarily to systems that utilize OpenSSL for cryptographic operations involving ASN.1 streaming, especially those handling SMIME, CMS, or PKCS7 data formats. Such systems include secure email gateways, document signing services, and applications performing cryptographic message syntax operations. Exploitation leads to use-after-free conditions causing application crashes, resulting in denial of service (DoS). While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can disrupt critical security services, potentially affecting secure communications and document processing workflows. Organizations relying on OpenSSL command line tools cms and smime for automated cryptographic tasks may experience service interruptions. Given the widespread use of OpenSSL in European IT infrastructure, especially in sectors like finance, healthcare, and government, the disruption of cryptographic services could have cascading operational impacts. However, the lack of known exploits and the requirement for specific error conditions to trigger the flaw somewhat limit immediate exploitation risk. Nonetheless, the vulnerability should be addressed promptly to prevent potential DoS attacks and maintain trust in cryptographic operations.

1. Monitor OpenSSL vendor advisories and promptly apply official patches or updates that address CVE-2023-0215 once released. 2. Until patches are available, review and audit applications using OpenSSL APIs related to ASN.1 streaming (e.g., BIO_new_NDEF and related functions) to identify usage patterns that may trigger the vulnerability, particularly where invalid CMS recipient keys might be processed. 3. Implement input validation and error handling to prevent passing invalid or malformed CMS recipient keys or ASN.1 data that could cause the vulnerable code path to execute. 4. Where feasible, isolate or sandbox applications performing ASN.1 streaming operations to limit the impact of potential crashes. 5. For critical systems, consider deploying runtime memory safety tools or sanitizers during testing to detect use-after-free conditions. 6. Educate developers and system administrators about the vulnerability to avoid unsafe usage of affected OpenSSL APIs. 7. For command line tool usage, avoid processing untrusted input or implement additional validation layers to reduce risk. 8. Maintain robust monitoring and alerting for application crashes related to OpenSSL operations to detect exploitation attempts early.