OpenSSL has released version 3.0.7 to fix two security vulnerabilities(CVE-2022-3786 and CVE-2022-3602).All users using OpenSSL version 3.0.0 to 3.0.6 are affected by this vulnerability. This issue does not affect prior versions of 3.0(OpenSSL 1.1.1 and 1.0.2).

Based on the official advisory released by OpenSSL, “We are not aware of any working exploit that could lead to code execution, and we have no evidence of this issue being exploited as of the time of the release of this advisory (November 1st, 2022).”

______________________________

A. Nature of the Vulnerability

  • X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. 

  • X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) 

A buffer overrun can be triggered in X.509 certificate verification, specifically in name   constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

______________________________

B. Actions to be Taken

  • CERT-PH encourages all OpenSSL users/administrators using versions 3.0.0 to 3.0.6 to review and apply the updates to mitigate future threats.
  • If users cannot update to the latest version and run a TLS Server. Users may consider disabling TLS client authentication if it is being used until fixes are applied.
  • Regularly check and apply the latest patch of software, especially to public-facing applications.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • For additional information, kindly refer to the official advisory:
    • <https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/>
    • <https://www.openssl.org/news/secadv/20221101.txt>