The OpenSSL project fixed two high-severity flaws in its cryptography library that can trigger a DoS condition or achieve remote code execution.
The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Both flaws are buffer overrun issues that can be triggered in X.509 certificate verification by providing a specially crafted email address.
“The first, CVE-2022-3786, allows a threat actor to “craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.` character.” The second, CVE-2022-3602, is similar, but in this case, a threat actor could “craft a malicious email to overflow four attacker-controlled bytes on the stack.” These could result in a denial of service or remote code execution.” reads a post published by Censys.
This buffer overflow could cause a denial of service condition or potentially lead to remote code execution.
“An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server.” reads the advisory published by the CVE-2022-3786. “In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”
The CVE-2022-3602 flaw was initially rated as CRITICAL, but further analysis based on some of the mitigating factors led its severity rate to be downgraded to HIGH.
Both vulnerabilities have been addressed with the release of the OpenSSL 3.0.7 release.
As of October 30th, 2022, the number of unique hosts having one or more services broadcasting that they use OpenSSL was 1,793,111. Of those, only 7,062 (0.4%) hosts run a vulnerable version of the library, which is greater than or equal to version 3.0.0.
Most of the hosts were located in the U.S., Germany, Japan, China, Czechia, the U.K., France, Russia, Canada, and the Netherlands.
“We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible,” reads a blog post published by the OpenSSL team. “We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post.”
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.