Additional information on critical SSL vulnerability

Additional information on critical SSL vulnerability

Earlier, we posted information about a patch that the OpenSSL team was preparing to cover a critical vulnerability. However, at that moment, no information about the vulnerability was available. OpenSSL team made an announcement just because they wanted to let the IT teams start preparing and, at the same time, leave no chance to treat actors to use the flaw. Later, once the patch was released, they provided more data about the issues.

The flaws discovered in OpenSSL were CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”). Both bugs appeared as part of Punycode decoding logic, added in OpenSSL 3.0.

Originally the second one was announced as critical. Still, later its severity was downgraded to high because many platforms have stack overflow protection mechanisms that wouldn’t allow performing remote code execution, causing a crash instead.

CVE-2022-3602 is a buffer overrun vulnerability in X.509 certificate name constraint verification. A malicious email address can be created to overflow four bytes controlled by the attacker. This may result in a crash (in most cases) or potentially remote code execution.

CVE-2022-3786 is also related to buffer overrun in X.509 certificate name constraint verification. In this case, a malicious email address in the certificate causes an overflow in an arbitrary number of bytes that contain the decimal 46 character (`.'), causing a crash and denial of service.

Both issues appear in OpenSSL versions from 3.0.0 to 3.0.6. It is highly recommended to update to 3.0.7 as soon as possible. Another way to mitigate the issues is to disable TLS client authentication until the fix is applied. The existing application using OpenSSL 1.1.1 is not affected.

Image credit: Photo by FLY:D on Unsplash

Reading next

End of support for Adobe Commerce 2.4.0-2.4.3
LastPass was attacked using data leaked in August

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.