CVE-2022-0778: OpenSSL Denial of Service Vulnerability Alert

by do son · March 16, 2022

The OpenSSL project team released a security bulletin on March 15, 2022, to disclose the CVE-2022-0778 vulnerability, which is of high severity with a CVSS score of 7.5. This vulnerability affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and is fixed in versions 1.1.1n and 3.0.2 released on March 15, 2022.

Vulnerability Detail

The function BN_mod_sqrt() for computing square roots contains a bug that could cause it to loop indefinitely for non-prime moduli. This function is used internally when parsing a certificate that contains an elliptic curve public key in compressed form or an explicit elliptic curve parameter with a base point encoded in compressed form.

“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack,” OpenSSL said in an advisory published on March 15, 2022.

A specific certificate can be crafted to trigger an infinite loop, vulnerable situations include:

TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from customers
Certificate authorities parsing certification requests from subscribers
Anything else which parses ASN.1 elliptic curve parameters

Solution

At present, the OpenSSL project team has released a new version to fix the CVE-2022-0778 vulnerability, and users who use OpenSSL are advised to upgrade to the latest version as soon as possible.

CVE-2022-0778: OpenSSL Denial of Service Vulnerability Alert

Search

Brilliantly

Content & Links