OpenSSL fixed two high-severity vulnerabilities

The OpenSSL project fixed two high-severity flaws in its cryptography library that can trigger a DoS condition or achieve remote code execution.

The OpenSSL project has issued security updates to address a couple of high-severity vulnerabilities, tracked as CVE-2022-3602 and CVE-2022-3786, in its cryptography library. The flaws impact versions 3.0.0 through 3.0.6 of the library.

The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

Both flaws are buffer overrun issues that can be triggered in X.509 certificate verification by providing a specially crafted email address. 

“The first, CVE-2022-3786, allows a threat actor to “craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.` character.”  The second, CVE-2022-3602, is similar, but in this case, a threat actor could “craft a malicious email to overflow four attacker-controlled bytes on the stack.” These could result in a denial of service or remote code execution.” reads a post published by Censys.

This buffer overflow could cause a denial of service condition or potentially lead to remote code execution.

“An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server.” reads the advisory published by the CVE-2022-3786. “In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”

The CVE-2022-3602 flaw was initially rated as CRITICAL, but further analysis based on some of the mitigating factors led its severity rate to be downgraded to HIGH.

Both vulnerabilities have been addressed with the release of the OpenSSL 3.0.7 release.

As of October 30th, 2022, the number of unique hosts having one or more services broadcasting that they use OpenSSL was 1,793,111. Of those, only 7,062 (0.4%) hosts run a vulnerable version of the library, which is greater than or equal to version 3.0.0.

Most of the hosts were located in the U.S., Germany, Japan, China, Czechia, the U.K., France, Russia, Canada, and the Netherlands.

“We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible,” reads a blog post published by the OpenSSL team. “We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, encryption)

[adrotate banner=”5″]

[adrotate banner=”13″]