Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)

OpenSSL warned its users about a critical severity vulnerability through a pre-notification alert on October 25th, 2022, mentioning that the patches will be released on November 1st, 2022. 
 
OpenSSL, a software library, is used by programs that need to identify the other party or encrypt conversations over computer networks against eavesdropping. Internet servers frequently employ it, and most HTTPS websites do as well. This also provides secure use of Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. 

OpenSSL made the advisories public on November 1st, 2022. The advisory addressed two high-severity buffer overrun vulnerabilities (CVE-2022-3602 and CVE-2022-3786). The vulnerabilities can allow an attacker to perform a buffer overflow attack on vulnerable versions that could result in a crash (causing a denial of service) or potentially remote code execution.

The pre-notification alert released by the OpenSSL Project had mentioned CVE-2022-3602 and CVE-2022-3786 as a single vulnerability of ‘Critical’ severity but it has now been downgraded to ‘High’ and split into two separate vulnerabilities.

X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) 

This vulnerability was discovered by Polar Bear. This is a buffer overrun vulnerability that can be triggered in X.509 certificate verification, specifically in name constraint checking. It is important to note that this vulnerability occurs after certificate chain signature verification and requires either a CA having signed the malicious certificate or the application continuing certificate verification even when a path to a trustworthy issuer could not be built.

An attacker can exploit this vulnerability by crafting a malicious email address to overflow four attacker-controlled bytes on the stack. A crash (resulting in a denial of service) or potential remote code execution could be caused by this buffer overflow. 

Several platforms use stack overflow protections to reduce the possibility of remote code execution. Based on the stack arrangement for any platform or compiler, the risk may be further reduced.

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) 

This vulnerability was discovered by Viktor Dukhovni while researching CVE-2022-3602. This is a buffer overrun vulnerability that can be triggered in X.509 certificate verification, specifically in name constraint checking. It is important to note that this vulnerability occurs after certificate chain signature verification and requires either a CA having signed the malicious certificate or the application continuing certificate verification even when a path to a trustworthy issuer could not be built.

An attacker can exploit this vulnerability by crafting a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

This can occur in a TLS client by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.  

Affected Versions 
OpenSSL 3.x versions prior to version 3.0.7 are affected by this vulnerability.  
 
Mitigation 
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7 to patch these vulnerabilities. For more information, please refer to the OpenSSL advisory. 
 
Qualys Detection 
Qualys customers can scan their devices with the QIDs mentioned below: 

QID  Title  Version 
38879  Open Secure Sockets Layer (OpenSSL) Less Than 3.0.7 Critical Vulnerability  VULNSIGS-2.5.617-4 
377733  Open Secure Sockets Layer (OpenSSL) Less Than 3.0.7 Critical Vulnerability (Scan Utility)  VULNSIGS-2.5.620.2-2 
240798  Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2022:7288)  VULNSIGS-2.5.620-3 
752752  SUSE Enterprise Linux Security Update for openssl-3 (SUSE-SU-2022:3843-1)  VULNSIGS-2.5.621-2 
988530  Rust (Rust) Security Update for openssl-src (GHSA-h8jm-2×53-xhp5)  VULNSIGS-2.5.621-2 
199012  Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5710-1)  VULNSIGS-2.5.621-2 
710678  Gentoo Linux Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (GLSA 202211-01)  VULNSIGS-2.5.621-2 
690972  Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (0844671c-5a09-11ed-856e-d4c9ef517024)  VULNSIGS-2.5.621-2 
160191  Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-7288)  VULNSIGS-2.5.621-2 
160192  Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-9968)  VULNSIGS-2.5.621-2 
502587  Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)  VULNSIGS-2.5.621-2 
283270  Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2022-502f096dce)  VULNSIGS-2.5.621-2 
988530  Rust (Rust) Security Update for Open Secure Sockets Layer (OpenSSL-src) (GHSA-h8jm-2×53-xhp5)  VULNSIGS-2.5.621-2 

NOTE: Customers can use the out-of-band Qualys Scan utility QID 377733 on Windows to detect vulnerable OpenSSL installations. The QID will be extended to support Linux soon. 

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://www.openssl.org/news/secadv/20221101.txt 
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
https://portswigger.net/daily-swig/upcoming-critical-openssl-update-prompts-feverish-speculation 

Leave a Reply

Your email address will not be published. Required fields are marked *