OpenSSL Vulnerabilities | CVE-2022-3602 & CVE-2022-3786
There have been many talks lately about the recent OpenSSL vulnerabilities (CVE-2022-3602 and CVE-2022-3786). But what exactly is it, and What does this mean for you and your business? This post will break down the vulnerability and explain how you can protect yourself from attacks. So if you’re curious about OpenSSL or want to learn more about online security, keep reading!
OpenSSL has released a security advisory for two vulnerabilities in versions 3.0.0 to 3.0.6 of the OpenSSL library. The first vulnerability, CVE-2022-3602, is a buffer overflow vulnerability that allows an attacker to launch a DoS attack by sending a specially crafted email address to an application that uses OpenSSL for SSL or TLS communications.
The second vulnerability, CVE-2022-3786, is a more severe vulnerability that can allow an attacker to execute arbitrary code by sending a specially crafted email address to an application that uses OpenSSL for SSL or TLS communications.
CVE-2022-3602 is a vulnerability that allows an attacker to occur a Denial Of Service (DoS) attack against an application that uses OpenSSL for SSL or TLS communications.
CVE-2022-3786 is a vulnerability that can allow an attacker to run arbitrary code by sending a specially crafted email address to an application that uses OpenSSL for SSL or TLS communications.
How do vulnerabilities work?
OpenSSL vulnerabilities have been discovered that can be manipulated to cause a denial of service or potentially execute remote code. The Buffer Overrun Vulnerabilities were discovered in Name Constraint Checking for certificates. Still, one is more severe than another because it also affects other certificate verification processes after an invalidated signature path has been reached - this means any application using these functions could crash if not updated promptly with patching from their manufacturer.
OpenSSL is a widely used cryptographic library that provides security features for communications. It has been recently announced that versions of OpenSSL 3.x are affected by two vulnerabilities. Both of these vulnerabilities are caused by improper handling of SSLv2 handshake messages. OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786 can potentially impact any user of OpenSSL 3.x versions, which includes popular distributions such as CentOS Stream 9 (dev branch), Fedora 36, Kali 2022.3, Linux Mint 21, Red Hat Enterprise Linux 9, Ubuntu 22.04, and more. It’s important to note that this issue does not impact LibreSSL.
The good news is that these vulnerabilities have yet to be widely adopted, and the most popular distributions that use OpenSSL 3.x are already announcing security updates.
This vulnerability affects OpenSSL versions 3.0.0 to 3.0.6; however, this vulnerability does not affect OpenSSL versions 1.1.1 and 1.0.2.
The OpenSSL Project has fixed the vulnerability that was once considered “critical.” The latest patch release reduced the severity from “critical” to “high” following additional analysis. ioSENTRIX rates the severity of the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786 as moderate. Although, these vulnerabilities could allow attackers to get access to confidential data or take control of systems. However, it is essential to understand that the OpenSSL 3.x customer base is relatively small. Additionally, we haven’t discovered any exploitation of this issue in the wild. We recommend fixing the issue rather quickly, but it shouldn’t be treated as “the house on fire”. If mitigation is not possible, organizations should restrict access to vulnerable systems.
Is your Organization at risk?
OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786 are present in software that uses OpenSSL 3.0.0. The flaws were introduced as part of the Punycode decoding feature, which is now exclusively used to interpret email address name limitations in X.509 certificates.
So the answer is NO; if your organization is using software that uses OpenSSL 3.0.0, your organization is not at risk for these vulnerabilities. Because the best-known OpenSSL 3.x distributions have already released security fixes, these vulnerabilities have yet to gain widespread adoption.
Remediation and Mitigation
The best way to remediate and mitigate the OpenSSL vulnerabilities (CVE-2022-3602 and CVE-2022-3786) is to upgrade to OpenSSL 3.0.7 as soon as possible. This version includes patches for the vulnerabilities. However, not all businesses are in a position to accomplish this immediately and quickly. In the meantime, it is critical to take precautions against attacks until the patches can be released. One way to do this is to restrict access to vulnerable systems. It is elementary to keep updated on security patches and updates to address any new vulnerabilities as quickly as possible.
How can I determine if this vulnerability is affecting my servers?
Server administrators can check if their servers are vulnerable to OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786 by using the curl tool to query TLS servers for whether they require a TLS certificate.
curl https://server-to-test.org 2>&1 | grep "certificate required"
If the answer is “certificate required,” the server is likely vulnerable and should be upgraded to OpenSSL 3.0.7 or later. You can also use readelf to check if the vulnerable function is present in statically-linked binaries.
readelf -a [binary] | grep -i ossl_punycode_decode
Despite being patched by Red Hat, it’s estimated that around 3% of all Internet users remain affected by the CVE-2022-3786 vulnerability. So, how can you safeguard yourself and your data? For starters, ensure you are running the latest version of OpenSSL (3.0.7). If you are using an older version, update as soon as possible. Please let others be aware of these problems if you or someone you know could be affected by them and assist in educating them about the potential risks of using outdated software. If you have any concerns or require assistance updating your version of OpenSSL, ioSENTRIX is available to help. Please get in touch with us by phone or email, and we will be pleased to assist you.