Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
On November 1 the OpenSSL Project released patches addressing the previously rated "Critical" vulnerability that was pre-announced last week. The "Critical" rating has been downgraded to "High."
The vulnerability was split between two CVEs (both rated "High"), CVE-2022-3786 and CVE-2022-3602. Both vulnerabilities affect how a TLS server or client verify an X.509 certificate, specifically the email address. In order to exploit the vulnerability, the attacker requires a specifically crafted X.509 certificate that contains a specially crafted email address. Upon attempting to verify the X.509 certificate, the email field can cause a memory overrun issue that can allow the attacker to crash the TLS software, potentially embedding and executing attacker-controlled code.
In the case of CVE-2022-3602, the maliciously crafted email address allows the attacker to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially allow remote code execution.
In the case of CVE-2022-3786, the maliciously crafted email address allows the attacker to overflow an arbitrary number of bytes containing the `.' character on the stack resulting in a crash/DoS attack.
In a TLS client, the vulnerability can be exploited by connecting to a server using a maliciously crafted and signed certificate. This only affects a TLS server if it uses client authentication of the TLS connection and a client with a maliciously crafted certificate connects.
The malicious certificate requires a valid CA signature in order to pass certificate chain signature verification. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution in the case of CVE-2022-3602. The OpenSSL Project is not aware of any working exploit that could lead to remote code execution, and there is no evidence of this issue being exploited as of the time of release of this advisory (November 1, 2022). 3.x versions of OpenSSL only represent ~1.5% of installations, according to Wiz Labs.
OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue and all OpenSSL 3.x users should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
https://www.openssl.org/news/secadv/20221101.txt
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
While there is no active exploit, Trustwave is currently monitoring the situation to make sure that our customers are protected against attacks targeting this vulnerability. We will update this post as more information comes in.
Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20-year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.