CVE-2022-3602: OpenSSL Remote Code Execution Vulnerability

OpenSSL announced on Tuesday a patch of a high-severity vulnerability. The flaw tracked as CVE-2022-3602, was reported to the OpenSSL Project by Polar Bear. Another bug tracked as CVE-2022-3786 is a denial of service flaw and was found by Viktor Dukhovni.

The issue affects versions 3.0.0 through 3.0.6 which was released on October 11, 2022. OpenSSL version 1.x is not affected by this vulnerability, so older operating systems and devices are safe. For example, RHEL 8 and below versions are based on OpenSSL version 1.x, which is not affected by this security issue but CVE-2022-3602 impacts Red Hat Enterprise Linux (RHEL) version 9. You can view a list of all known vulnerable and non-vulnerable software here.

“The bugs were introduced as part of punycode decoding functionality (currently only used for processing email address name constraints in X.509 certificates). This code was first introduced in OpenSSL 3.0.0. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected,”  read the OpenSSL blog.

This time, the OpenSSL Project Team also release OpenSSL version 1.1.1s as a bug-fix release.

OpenSSL is an open-source library that is the most widely used in applications for secure data transfers. Websites use it to enable Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.

CVE-2022-3602 was caused by improper bounds checking during X.509 certificate verification. By using a specially-crafted email address, a remote attacker could overflow a buffer and execute arbitrary code or cause the application to crash.

“An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler,” the OpenSSL Project explained in its changelog version 3.0.7.

CVE-2022-3786 was caused by a stack-based buffer overflow during X.509 certificate verification. By using a specially-crafted email address in a certificate to“overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack.”, a remote attacker could exploit this vulnerability to cause a TLS client to crash, which results in a denial of service condition.

To do it worse, “In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”

According to Censys statistics, as of October 30th, 2022, 1,793,111 unique hosts have one or more services broadcasting that they use OpenSSL. Of those, only 7,062 (0.4%) hosts run a version greater than or equal to version 3.0.0. The most deployed version of OpenSSL within the vulnerable range is 3.0.1, with 3,567 unique IP hosts, and version 3.0.5, with 2,759 hosts.

The OpenSSL team has not detected any incident of the exploitation of one of these vulnerabilities in the wild. Due to OpenSSL being so widely used, the potential magnitude of this vulnerability could have major implications for organizations spanning all sizes and industries, hence the urgency to patch and update systems.

How to install OpenSSL 3.0.7

Unix / Linux / macOS:

$ wget https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.7.tar.gz
$ tar -zxf openssl-3.0.7.tar.gz
$ rm openssl-3.0.7.tar.gz
$ cd openssl-3.0.7
$ ./Configure
$ make
$ make test
$ make install

Now you can check your own system by running the shell command:
$ openssl version

Windows

You download the OpenSSL source code here. If you are using Visual Studio, open a Developer Command Prompt and issue the following commands to build OpenSSL.