With news breaking of two new critical vulnerabilities being discovered in OpenSSL, the world of IT and cyber security has been on the edge of their seats over the last few days, awaiting updates from the development team behind OpenSSL.
The vulnerabilities are tracked as CVE-2022-3602 and CVE-2022-3786, and affect OpenSSL versions 3.0.0 through to 3.0.6, with a fix deployed in version 3.0.7. The vulnerabilities make use of security flaws in its open-source cryptographic library, which is used to encrypt communication channels HTTPS connections.
CVE-2022-3609 is an arbitrary 4-byte stack buffer overflow which could result in system crashes or lead to remote code execution (RCE). Triggered by a maliciously crafted email address, this vulnerability occurs due to the incorrect processing of Punycode while processing the X.509 certificates. Punycode is a representation of Unicode strings using the limited ASCII character subset. It is usually used to encode domain names containing non-ASCII characters such as Japanese letters. The vulnerable function ossl_punycode_decode may cause buffer overflow during Punycode string decoding. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
CVE-2022-3786 is a vulnerability which can be exploited by attackers making use of malicious email addresses to trigger a denial of service (DOS) via a buffer overflow. This buffer overflow occurs in the ossl_a2ulabel vulnerable function. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the ‘.’ character on the stack. Using this vulnerability, an attacker can overflow the output buffer with any number of ‘.’ characters, which in turn leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.
We recommends that organizations should prioritise patching their systems which make use of the vulnerable OpenSSL versions as soon as possible. Although hard to exploit, it is not impossible and leaving systems open to critical vulnerabilities creates unnecessary risk.
Am I vulnerable?
Please find a link here which covers a vast range of software which are either affected or unaffected by this vulnerability. We would also recommend updating threat signatures to have confidence you are be able to detect this vulnerability on your environment.
Speak to us if you need any further help to find for detection and mitigation advice for this vulnerability:
By phone – 0800 404 8888
By email – through our contact page.