Threat Intelligence: OpenSSL Vulnerability
Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:
The OpenSSL Project has recently released a new patch for OpenSSL which addresses two high-severity security flaws, the details of which are below. OpenSSL is an open source tool which secures communications over computer networks using SSL (Secure Sockets Layer) and TLS (Transport Layer Security). This library is often shipped with Linux distributions, Docker containers and development software. It can be installed on MacOS and Windows as an optional extra. Both vulnerabilities reside in the name constraint checking function of the X.509 certificate verification.
CVE-2022-3602
CVE-2022-3602 is the first vulnerability, with a CVSS (Common Vulnerability Scoring System) Severity Score of 8.8 (high). This is based in the technique used by OpenSSL 3.x to process certificates, using a specially crafted email address to overflow four attacker-controlled bytes on the stack, potentially causing a system crash or in the worst case scenario remote code execution.
This vulnerability was originally classified as being ‘Critical’ but has since been downgraded to ‘High’ as OpenSSL determined that the potential for Remote Code Execution (RCE) was low by the fact that modern platforms contain stack overflow protections.
CVE-2022-3786
The second vulnerability is tracked as CVE-2022-3786, and as with the first is a buffer overrun vulnerability, exploited by a threat actor crafting a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This overflow could cause a crash resulting in denial of service (DoS).
Both vulnerabilities are most susceptible to a server requesting client authentication when a threat actor connects to the device, or a user connects to a malicious server. To exploit both flaws, an attacker would need to convince a certificate authority to sign a malicious certificate or for the user to allow an application to continue with the certificate verification despite failing to construct a path to a trusted issuer.
Remediation
These flaws were introduced in OpenSSL 3.0.0 following the addition of its punycode decoding functionality, which is used for processing email address name constraints in X.509 certificates. Therefore, this flaw only impacts OpenSSL 3.0.0 through OpenSSL 3.0.6.
To find out the version of OpenSSL which is running on Linux, users can run the following command:
openssl version
It is highly recommended to update to OpenSSL version 3.0.7 as soon as possible, as this has been released to address these vulnerabilities.
The download for OpenSSL 3.0.7 can be found on the OpenSSL website here.
Further information on the vulnerabilities can be found on the OpenSSL blog post here.
If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.
If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact.
