Two high severity vulnerabilities released for OpenSSL

Image
Decorative image
Published : 01/11/2022

Reference:
Advisory #2022-35

Version:
1.0

Affected software:
OpenSSL v3.0.0 - v3.0.

Type:
Buffer overrun in X.509 certificate verification

CVE/CVSS:

CVE-2022-3786
CVE-2022-3602
The OpenSSL security team does not assign CVSS or similar vulnerability scores.

Sources

Risks

OpenSSL released a security update on November 1, 2022, for OpenSSLv3 fixing two high severity vulnerabilities: CVE-2022-3786 and CVE-2022-3602. Both vulnerabilities concern buffer overruns which can be triggered in X.509 certificate verification.

CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial-of-service state (DoS) via a buffer overflow.

Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis has led this to be downgraded to HIGH.

Exploitation of these vulnerabilities could result in a crash causing a Denial of Service (DoS). CVE-2022-3602 could theoretically also lead to remote code execution (RCE).

OpenSSL is not aware of any working exploit that could lead to remote code execution and has no evidence of these issues being exploited as of the time of release of this post.

Description

OpenSSL versions starting from v3.0.0 until and including v3.0.6.

Recommended Actions

Users operating TLS servers may consider disabling TLS client authentication, if it is being used, until fixes are applied.

Although this does not concern a critical vulnerability, the CCB still recommends system administrators to patch vulnerable systems. It is worth updating quickly, but many sites do not appear to be at immediate risk.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

References