New Vulnerabilities Affecting OpenSSL: What you Need to Know
On Tuesday, November 1, 2022, OpenSSL made public two vulnerabilities affecting the most recent versions of the OpenSSL 3.x branch¹. The pair of Common Vulnerabilities and Exposures (CVEs), CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – sometimes known as “Spooky SSL,” have been patched in the most recently released OpenSSL version, 3.0.7, but remain a potentially significant vulnerability if left unpatched. The severity of these vulnerabilities is exacerbated by the many ways and products OpenSSL is used in.
OpenSSL is a widely popular library used across operating systems, software suites, and packages to provide a basis for establishing secure and encrypted communications sessions. It is commonly used by applications such as Web Servers to establish HTTPS/TLS secured communications, VPNs, and other applications requiring secure sessions such as encrypted mail protocols.
The National Cyber Security Centrum – Netherlands (NCSC-NL) has released a public repository cataloging operating systems and software which use the vulnerable OpenSSL versions². The list is non-exhaustive but provides a good basis for recognizing what types of systems the OpenSSL vulnerabilities intersect with.
CVE-2022-3602 – Remote Code Execution Vulnerability
CVE-2022-3602 is a potential Remote Code Execution (RCE) vulnerability, which may allow unauthorized execution of malicious code on remote systems, either servers or clients using the affected OpenSSL libraries ³. A buffer overrun can be triggered during the verification of the X.509 certificate’s name field, leading to a potential crash (Denial of Service / DOS) or RCE. The overflow happens after the certificate chain signature is verified. Therefore exploitation requires that either a Certificate Authority (CA) has signed the malicious certificate or the application using the OpenSSL library continues certificate verification despite certificate trust failure.
Usage of this CVE has not yet been observed in the wild; however, the timely patching of affected systems is recommended as the best course of action.
CVE-2022-3786 – Denial of Service Vulnerability
CVE-2022-3786 is also a buffer overrun in X.509 certificate name constraint checking ⁴. Attackers can leverage the vulnerability by crafting a malicious email address in the certificate to cause an overflow of an arbitrary number of bytes in memory by using `.’ character (decimal 46). This buffer overflow can result in a crash, causing a denial of service. The vulnerability can affect both OpenSSL provided TLS clients and servers, clients being potentially exploited by connecting to a malicious server and servers being vulnerable to malicious client connections when requesting client authentication.
Like the previous vulnerability, this CVE has not been observed in the wild, but it is recommended that businesses, administrators, and users patch to the latest version of OpenSSL.
Recommendations
Adlumin recommends that all users of OpenSSL and OpenSSL backed software update to the latest versions available in their major branch, especially if leveraging version 3.x.
Additionally, we recommend using a vulnerability management product to regularly scan your environment to identify vulnerabilities and misconfigurations. Adlumin also recommends using the business’s SIEM product to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability.
Resources
- OpenSSL. (2022, November 1). OpenSSL Security Advisory [November 1 2022]. https://www.openssl.org/news/secadv/20221101.txt. Retrieved November 1, 2022, from https://www.openssl.org/news/secadv/20221101.txt
- NCSC-NL. (2022, October 28). OpenSSL-2022/scanning at main · NCSC-NL/OpenSSL-2022. OpenSSL-2022. Retrieved November 2, 2022, from https://github.com/NCSC-NL/OpenSSL-2022/tree/main/scanning
- MITRE. (2022, November 1). CVE-2022-3602. CVE. Retrieved November 1, 2022, from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602
- MITRE. (2022, November 1). CVE-2022-3602. CVE. Retrieved November 1, 2022, from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602
