Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Denial of Service and RCE in OpenSSL 3.0 (CVE-2022-3786 and CVE-2022-3602)

Overview

On November 1 the OpenSSL Project released patches addressing the previously rated "Critical" vulnerability that was pre-announced last week. The "Critical" rating has been downgraded to "High."

The vulnerability was split between two CVEs (both rated "High"), CVE-2022-3786 and CVE-2022-3602. Both vulnerabilities affect how a TLS server or client verify an X.509 certificate, specifically the email address. In order to exploit the vulnerability, the attacker requires a specifically crafted X.509 certificate that contains a specially crafted email address. Upon attempting to verify the X.509 certificate, the email field can cause a memory overrun issue that can allow the attacker to crash the TLS software, potentially embedding and executing attacker-controlled code.

CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow

In the case of CVE-2022-3602, the maliciously crafted email address allows the attacker to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially allow remote code execution.

CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow

In the case of CVE-2022-3786, the maliciously crafted email address allows the attacker to overflow an arbitrary number of bytes containing the `.' character on the stack resulting in a crash/DoS attack.

Attack scenarios

In a TLS client, the vulnerability can be exploited by connecting to a server using a maliciously crafted and signed certificate. This only affects a TLS server if it uses client authentication of the TLS connection and a client with a maliciously crafted certificate connects.

Mitigating circumstances

The malicious certificate requires a valid CA signature in order to pass certificate chain signature verification. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution in the case of CVE-2022-3602. The OpenSSL Project is not aware of any working exploit that could lead to remote code execution, and there is no evidence of this issue being exploited as of the time of release of this advisory (November 1, 2022). 3.x versions of OpenSSL only represent ~1.5% of installations, according to Wiz Labs.

Affected Versions

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue and all OpenSSL 3.x users should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

References

https://www.openssl.org/news/secadv/20221101.txt

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Trustwave Response

While there is no active exploit, Trustwave is currently monitoring the situation to make sure that our customers are protected against attacks targeting this vulnerability. We will update this post as more information comes in.

About the Author

Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20-year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo