OpenSSL 1.x, which is unaffected, is still the most popular version stream in use. OpenSSL versions 3.0.0 to 3.0.6 (fixed in 3.0.7)Ī broad array of popular distributions and technologies use OpenSSL in their offerings, including many widely used Linux distributions. We are not aware of any exploitation in the wild at the time of the vulnerability’s release on November 1, 2022. Once again, these vulnerabilities only affect the OpenSSL 3.0.x version stream, which has not yet been widely adopted. This could be done through impersonation (MitM on the network, hijacking an existing resource, etc) or by providing an incentive for a person to click a link (through phishing, watering holes, etc).įor both scenarios, these kinds of attacks do not lend themselves well to widespread exploitation. In the case where a client is the target (web browser, email reader, database connector, etc): The attacker would need to first coerce a vulnerable client to connect to a malicious server.This is an unusual configuration, and usually specialized to higher-security use cases. In the case where a server is the target (a webserver, database server, mail server, etc): The server must first request client authentication as part of a mutual authentication configuration.In other words, exploitability is significantly limited: OpenSSL has a blog available here.Īccording to the OpenSSL advisory, the vulnerability occurs after certificate verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. They differ in two crucial ways: CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the "." character (a period), leading to denial of service, while CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack. Upon release, however, neither vulnerability carried a critical severity rating.ĬVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities in OpenSSL versions below 3.0.7 that both rely on a maliciously crafted email address in a certificate. The OpenSSL team warned maintainers and users on October 25 that a critical flaw was on the way - only the second to ever impact the product. (Currently, only the 1.1.1 and 3.0 version streams of OpenSSL are supported). OpenSSL is a widely used open-source cryptography library that allows for the implementation of secure communications online this includes generating public/private keys and use of SSL and TLS protocols. The OpenSSL project released version 3.0.7 on November 1, 2022, to address CVE-2022-3786 and CVE-2022-3602, two high-severity vulnerabilities affecting OpenSSL’s 3.0.x version stream discovered and reported by Polar Bear and Viktor Dukhovni. The Rapid7 research team will update this blog post as we learn more details about this vulnerability and its attack surface area.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |