OpenSSL details two vulnerabilities that can lead to remote code execution, calls upon organizations to upgrade to 3.0.7

OpenSSL published on Tuesday a security advisory that addresses two vulnerabilities – buffer overrun and buffer overflow security loopholes affecting OpenSSL versions 3.0.0 through 3.0.6. These vulnerabilities could allow a malicious actor to gain remote code execution rights on the host running the OpenSSL and perform unauthorized actions. Additionally, a malicious email address can be crafted to exploit the vulnerabilities and cause a crash (denial of service).

The vulnerabilities CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow) and CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow) affect OpenSSL, a widely adopted cryptographic and secure communication software library, available across operating systems (OS), and used across organizations. 

The advisory calls upon OpenSSL 3.0 users to upgrade to OpenSSL 3.0.7. Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable, which includes TLS clients, and TLS servers that are configured to use TLS client authentication.

It added that OpenSSL 1.1.1 and 1.0.2 are not affected by the issue. However, it recommends using the latest version (1.1.1s). OpenSSL 1.1.1 is supported until 11th September 2023. Users of older versions of OpenSSL (such as 1.0.2) are encouraged to upgrade to OpenSSL 3.0. There was no release of OpenSSL 2.

“CVE-2022-3602 was reported in private to OpenSSL on 17th October 2022 by Polar Bear who was performing an audit of OpenSSL code,” according to a blog post released Tuesday. “Subsequent analysis of that issue on 18th October 2022 by Viktor Dukhovni identified a second independently triggerable issue, CVE-2022-3786. On 25th October 2022 we notified various organisations under our Prenotification Policy. OpenSSL 3.0.7 that contains fixes for these issues was released on 1st November 2022.”

The advisory adds that the fixes were developed by Dr. Paul Dale. OpenSSL also said that it is not aware of any working exploit that could lead to code execution, and has no evidence of the issue being exploited as of the time of release of the advisory. As the OpenSSL project does not track deployments, it does not have an estimate of the number of people or servers affected.

According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, “can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution,” allowing them to take control of an affected system. Many platforms implement stack overflow protections which would mitigate the risk of remote code execution. The risk may be further mitigated based on the stack layout for any given platform/compiler.

Pre-announcements of CVE-2022-3602 described the issue as ‘critical,’ as it is an arbitrary four-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE), OpenSSL said in the blog. “During the week of prenotification, several organizations performed testing and gave us feedback on the issue, looking at the technical details of the overflow and stack layout on common architectures and platforms,” it adds.

“Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution, OpenSSL said. “Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead.”

However, “as OpenSSL is distributed as source code we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms,” the post added.

Pointing to its security policy, OpenSSL states that a vulnerability might be described as ‘critical’ if “remote code execution is considered likely in common situations”. “We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1st November 2022 before being released to ‘high.’”

CVE-2022-3786 was not rated as critical from the outset, because only the length and not the content of the overwrite is attacker controlled. Exposure to remote code execution is not expected on any platforms. “We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible,” it adds.

Following the OpenSSL announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) called upon users and administrators to review the OpenSSL advisory, blog, and OpenSSL 3.0.7 announcement, apart from also upgrading to OpenSSL 3.0.7.

The Australian Cyber Security Centre (ACSC) said in a Wednesday alert that it is aware of a buffer overrun and buffer overflow vulnerability in OpenSSL versions above to 3.0. “All Australian organisations using version 3.x should apply the available patch immediately,” it adds.

The alert added that affected Australian organizations should apply the available patch immediately. The ACSC is not aware of any successful exploitation attempts against Australian organizations.

Australian organizations that use OpenSSL versions above 3.x should review their patch status and update to the latest version. There are no known workarounds. Additionally, third-party vendor software may use OpenSSL and consultation should occur to patch the vulnerabilities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.