OpenSSL 3.0.0 - 3.0.6 - Buffer Overflow in X.509 [CVE-2022-3602]
We would like to bring to your attention to two new high severity vulnerabilities within OpenSSL affecting versions 3.0.0 to 3.0.6, the vulnerabilities are being tracked under the following CVE identifiers, both are buffer overflow vulnerabilities that can be triggered in X.509 certificate verification, specifically in name constraint checking.
CVE-2022-3602
CVE-2022-3786
At this time, we are unaware of any proof-of-concept attacks or exploits for this issue being available in the wild, we will continue to monitor the situation around this. This is an ongoing threat, and details are still emerging. We will update this threat alert as more information become available.
Please note that, pre-announcements of CVE-2022-3602 described this issue as critical. Further analysis based on some of the mitigating factors described above have led this to be downgraded to high.
Detection
NCSC-NL has a helpful list of known confirmed affected/unaffected software and systems here:
https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software\
OpenSSL is a widely distributed software that can be found in a vast variety of devices and systems, as such there are different ways a system can use OpenSSL and different ways to verify its version.
System Wide version check for Unix like systems and Windows 11 CMD:
openssl version
RHEL, Fedora, Oracle, CentOS package manager:
rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n"` | grep openssl
Windows Powershell
Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue -Path "C:\" -Filter "libssl*"
Running processes running OpenSSL 3.x
sudo lsof -n | grep libssl.so.3
Remediation
Fixed in OpenSSL 3.0.7
A patch has been released in OpenSSL version 3.0.7 for the affected OpenSSL versions. CovertSwarm recommends updating affected installations of OpenSSL immediately.
https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a