OpenSSL Issues Security Updates for Two Critical Vulnerabilities

In the last week of October 2022, the OpenSSL project disclosed two vulnerabilities found in the OpenSSL library. CVE-2022-3602 and CVE-2022-3786 are both labeled as “high” severity issues with a CVSS score of 8.8, just 0.2 points below what they need to be considered “severe”.

The problem lies in the verification process of certificates that OpenSSL does for certificate-based authentication. Exploitation of the vulnerability could allow an attacker to launch a denial of service (DoS) or even remote code execution attack. Patches for the two vulnerabilities found in OpenSSL v3.0.0 to v3.06 have now been released.

What is OpenSSL?

OpenSSL is a widely used open-source cryptography command line utility for securing web traffic exchange between clients and servers. It is used to generate public and private keys, install SSL/TLS certificates, verify certificate information, and provide encryption.

The issue came to light on October 17, 2022, when Polar Bear disclosed two high-level vulnerabilities found in OpenSSL versions 3.0.0 to 3.0.6 to the OpenSSL project. The vulnerabilities are CVE-2022-3602 and CVE-2022-3786.

On October 25, 2022, news of the vulnerability hit the Internet. Mark Cox, a Red Hat software engineer and Apache Software Foundation VP of Security, broke the news in a tweet.

How can an attacker exploit these vulnerabilities?

The pair of vulnerabilities CVE-2022-3602 and CVE-2022-3786 are prone to buffer overflow attack which is a cyber-attack in which server memory contents are misused to reveal user information and server private keys or to perform remote code execution. is done.

CVE-2022-3602

This vulnerability allows an attacker to take advantage of a buffer overrun in X.509 certificate verification in name constraint checking. This occurs after certificate chain verification and requires the CA signature on the malicious certificate or certificate verification to continue despite failure to map to a trusted issuer.

An attacker could incorporate a phishing scheme such as creating a fabricated email address to overflow four bytes on the stack. This can result in a denial-of-service (DoS) attack in which a service becomes unavailable after a crash, or the attacker can perform remote code execution, meaning that a code to control an application server can be executed remotely. is run.

This vulnerability could be triggered if an authenticated TLS client connects to a malicious server or if an authenticated TLS server connects to a malicious client.

CVE-2022-3786

This vulnerability is exploited in the same way as CVE-2022-3602. The only difference is that an attacker “.” Creates a malicious email address to overflow an arbitrary number of bytes containing . character (decimal 46). However, in CVE-2022-3602, only four bytes controlled by the attacker are exploited.

Infamous “Heartbleed” Vulnerability Flashback

Back in 2016, a similar issue was discovered in OpenSSL that was given a “severe” severity rating. It was a memory-handling bug that allowed attackers to compromise secret keys, passwords and other sensitive information in vulnerable servers. The infamous bug is known as Heartbleed (CVE-2014-0160) and as of today, more than 200,000 machines are known to be vulnerable to this vulnerability.

What is right?

In today’s cyber-security-conscious world, many platforms implement stack overflow protection to keep attackers away. This provides the necessary mitigation against buffer overflows.

Further mitigation against these vulnerabilities includes upgrading to the latest released version of OpenSSL. As OpenSSL v3.0.0 to v3.0.6 is vulnerable, it is recommended that you upgrade to OpenSSL v3.0.7. However, if you use OpenSSL v1.1.1 and v1.0.2, you can continue to use these versions as they are not affected by the two vulnerabilities.

Exploiting Two Weaknesses Is Harder

These vulnerabilities are less likely to be abused because one of the conditions is a malformed certificate signed by a trusted CA. Due to the ever-evolving attack landscape, most modern systems make sure to implement built-in security mechanisms to guard against these types of attacks.

Cyber security is a necessity in today’s world, with built-in and advanced security mechanisms, it is difficult to exploit such vulnerabilities. Thanks to the timely security updates released by OpenSSL, you do not need to worry about these vulnerabilities. Just take necessary measures like patching your system and implementing good layers of security and you are safe to use OpenSSL.

Leave a Comment