New Critical Vulnerabilities in OpenSSL

With news breaking of two new critical vulnerabilities being discovered in OpenSSL, the world of IT and cyber security has been on the edge of their seats over the last few days, awaiting updates from the development team behind OpenSSL.

The vulnerabilities are tracked as CVE-2022-3602 and CVE-2022-3786, and affect OpenSSL versions 3.0.0 through to 3.0.6, with a fix deployed in version 3.0.7. The vulnerabilities make use of security flaws in its open-source cryptographic library, which is used to encrypt communication channels HTTPS connections.

CVE-2022-3602

CVE-2022-3609 is an arbitrary 4-byte stack buffer overflow which could result in system crashes or lead to remote code execution (RCE). Triggered by a maliciously crafted email address, this vulnerability occurs due to the incorrect processing of Punycode while processing the X.509 certificates. Punycode is a representation of Unicode strings using the limited ASCII character subset. It is usually used to encode domain names containing non-ASCII characters such as Japanese letters. The vulnerable function ossl_punycode_decode may cause buffer overflow during Punycode string decoding. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

CVE-2022-3786

CVE-2022-3786 is a vulnerability which can be exploited by attackers making use of malicious email addresses to trigger a denial of service (DOS) via a buffer overflow. This buffer overflow occurs in the ossl_a2ulabel vulnerable function. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the ‘.’ character on the stack. Using this vulnerability, an attacker can overflow the output buffer with any number of ‘.’ characters, which in turn leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.

Recommendations

We recommends that organizations should prioritise patching their systems which make use of the vulnerable OpenSSL versions as soon as possible. Although hard to exploit, it is not impossible and leaving systems open to critical vulnerabilities creates unnecessary risk.

Am I vulnerable?

Please find a link here which covers a vast range of software which are either affected or unaffected by this vulnerability. We would also recommend updating threat signatures to have confidence you are be able to detect this vulnerability on your environment.

Speak to us if you need any further help to find for detection and mitigation advice for this vulnerability:

By phone – 0800 404 8888

By email – through our contact page.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

New Critical Vulnerabilities in OpenSSL

Get in Touch

Contact

Headquarters

Explore