In the last week of October 2022, OpenSSL Project revealed two vulnerabilities found in the OpenSSL library. Both CVE-2022-3602 and CVE-2022-3786 have been labeled “High” severity issues with a CVSS score of 8.8, only 0.2 points lower than what they’d need to be considered “Critical”.
The issue lies in the verification process of certificates that OpenSSL performs for certificate-based authentication. The exploitation of the vulnerabilities could allow an attacker to launch a Denial of Service (DoS) or even a Remote Code Execution attack. Patches for the two weaknesses found in OpenSSL v3.0.0 to v3.06 have now been released.
What Is OpenSSL?
OpenSSL is a widely used open-source cryptography command line utility implemented to keep secure the web traffic exchange between a client and server. It is used to generate public and private keys, install SSL/TLS certificates, verify certificate information, and provide encryption.
The issue came to light on October 17th, 2022 when Polar Bear disclosed two high-level vulnerabilities found in OpenSSL version 3.0.0 to 3.0.6 to OpenSSL Project. The vulnerabilities are CVE-2022-3602 and CVE-2022-3786.
On October 25th, 2022, the news of the vulnerabilities hit the internet. Mark Cox, a Red Hat Software Engineer and the Apache Software Foundation VP of Security broke the news in a tweet.
How Can an Attacker Exploit These Vulnerabilities?
The pair of vulnerabilities CVE-2022-3602 and CVE-2022-3786 are prone to buffer overflow attack which is a cyber-attack in which server memory contents are abused to reveal user information and server private keys or perform remote code execution.
This vulnerability allows an attacker to take advantage of buffer overrun in X.509 certificate verification in name constraint checking. This happens after certificate chain verification and requires a CA signature on the malicious certificate or certificate verification to continue despite failure to map to a trusted issuer.
An attacker can incorporate a phishing scheme such as creating a fabricated email address to overflow four bytes on the stack. This can result in a Denial-of-Service (DoS) attack in which the service becomes unavailable after crashing, or the attacker can perform Remote Code Execution, which means a code is remotely run to control the application server.
This vulnerability can be triggered if an authentic TLS client connects to a malicious server or if an authentic TLS server connects to a malicious client.
This vulnerability is exploited just like CVE-2022-3602. The only difference is that an attacker creates a malicious email address to overflow an arbitrary number of bytes containing the “.” character (decimal 46). However, in CVE-2022-3602, only four bytes controlled by the attacker are exploited.
The Notorious “Heartbleed” Vulnerability Flashback
Back in 2016, a similar issue was discovered in OpenSSL that was given a “Critical” severity rating. This was a memory-handling bug that allowed attackers to compromise secret keys, passwords, and other sensitive information in vulnerable servers. The infamous bug is known as Heartbleed (CVE-2014-0160) and to this day, over 200,000 machines are deemed vulnerable to this weakness.
What’s the Fix?
In today’s cyber-security-aware world, many platforms implement stack overflow protections to keep attackers at bay. This provides necessary mitigation against buffer overflow.
Further mitigation against these vulnerabilities involves upgrading to the latest released version of OpenSSL. As OpenSSL v3.0.0 to v3.0.6 is vulnerable, it is recommended that you upgrade to OpenSSL v3.0.7. However, if you use OpenSSL v1.1.1 and v1.0.2, you can continue to use these versions as they are not affected by the two vulnerabilities.
The Two Vulnerabilities Are Hard to Exploit
The chances of these vulnerabilities getting abused are low because one of the conditions is a malformed certificate signed by a trusted CA. Due to the ever-increasing attack landscape, most modern systems make sure to implement built-in security mechanisms to avoid these types of attacks.
Cybersecurity is a necessity in today’s world, with built-in and advanced protection mechanisms, vulnerabilities like these are difficult to exploit. Thanks to the security updates released by OpenSSL in time, you don’t need to worry about these vulnerabilities. Just take necessary measures like patching your system and implementing good layers of security, and you are safe to use OpenSSL.