OpenSSL Fixed Two High Severity Vulnerabilities That Can be Exploited Remotely

There have been two high-severity security vulnerabilities recently discovered and patched by the OpenSSL Project in its open-source cryptographic library. 

Encryption of communication channels and HTTPS connections is achieved through the use of this cryptographic library. In OpenSSL version 3.0.7 these two severe vulnerabilities were addressed, while the affected OpenSSL version is 3.0.0 and later. 

High Severity Vulnerabilities

Here below we have mentioned the two high severity vulnerabilities:-

CVE-2022-3602: It is an arbitrary 4-byte overflow of the stack buffer that can cause crashes or allow RCE attacks to occur.

EHA

“this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack.” OpenSSL said.

This flaw is fixed in OpenSSL 3.0.7 and it affectes the following versions:-

  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.0.4
  • 3.0.5
  • 3.0.6

CVE-2022-3786: It’s a buffer overflow that could lead denial of service state and can be exploited by threat actors through malicious email addresses.

“An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server.”

This flaw is fixed in OpenSSL 3.0.7 and it affectes the following versions:-

  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.0.4
  • 3.0.5
  • 3.0.6

What Organizations Need to Know?

A pre-announcement of this vulnerability was made with the expectation that it was to be a “critical” vulnerability, only if RCE is considered would occur in common scenarios. After that, the OpenSSL Project has revised its advisory to indicate that these vulnerabilities have been downgraded to “high” severity.

The details of OpenSSL’s vulnerabilities have now been made public since they were announced, so, now is the time to determine whether any of your public and private repositories have been affected.

In order to address this issue, Docker created a placeholder referencing both the high severity OpenSSL vulnerabilities. 

What you have to do is open Docker’s “Image Vulnerability Database” on your web browser and then you have to select the “Vulnerability search” tab on the portal.

Now you have to search for the following term in the search bar to find the vulnerable package:-

  • DSA-2022-0001

Security Meassure

Since October 25, all organizations and IT administrators have been strictly instructed to scan for susceptible instances to patch them with OpenSSL 3.0.7 when it will be available.

It is reported that there were 1,793,111 unique hosts broadcasting that they use OpenSSL as of October 30th, 2022. The number of hosts running susceptible versions of the library is relatively low, estimated at about 7,062.

Among the most common countries where hosts were located were:-

  • The U.S.
  • Germany
  • Japan
  • China
  • Czechia
  • The U.K.
  • France
  • Russia
  • Canada
  • The Netherlands

The OpenSSL project also recommended a security measure in which they strongly urged until the patches are applied, admins or operators of TLS servers must immediately disable TLS client authentication.

In order to prevent security issues, it is strongly recommended that OpenSSL be updated immediately to version 3.0.7.

Managed DDoS Attack Protection for Applications – Download Free Guide

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.