OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

VTA-00425 – OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3768, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email address. For the vulnerability CVE-2022-3768, an attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious server. For the vulnerability CVE-2022-3602, an attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Versions 3.0.0 through 3.0.6 of the library are affected by the new flaws, which has been remediated in version 3.0.7. It’s worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

Severity:
High

Attack Surfaces:
Web Server

Tactics:
Command and Control, Execution, Initial Access

Techniques:
Command and Scripting Interpreter, Exploit Public-Facing Application

Active Defense Tactics:
Disrupt

Active Defense Techniques:
Baseline, Security Controls, Standard Operating Procedure

SuperPRO’s Threat Countermeasures Procedures: 
1. To update to OpenSSL 3.0.7 if the current OpenSSL version is between 3.0.0 to 3.0.6
2.  Always install latest patch for all applications to the latest version.

Contributed by:  Aman