OpenSSL 3.0.0 - 3.0.6 - Buffer Overflow in X.509 [CVE-2022-3602]

We would like to bring to your attention to two new high severity vulnerabilities within OpenSSL affecting versions 3.0.0 to 3.0.6, the vulnerabilities are being tracked under the following CVE identifiers, both are buffer overflow vulnerabilities that can be triggered in X.509 certificate verification, specifically in name constraint checking.

  • CVE-2022-3602

  • CVE-2022-3786

At this time, we are unaware of any proof-of-concept attacks or exploits for this issue being available in the wild, we will continue to monitor the situation around this. This is an ongoing threat, and details are still emerging. We will update this threat alert as more information become available.

Please note that, pre-announcements of CVE-2022-3602 described this issue as critical. Further analysis based on some of the mitigating factors described above have led this to be downgraded to high.


Detection


NCSC-NL has a helpful list of known confirmed affected/unaffected software and systems here:

https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software\


OpenSSL is a widely distributed software that can be found in a vast variety of devices and systems, as such there are different ways a system can use OpenSSL and different ways to verify its version.


System Wide version check for Unix like systems and Windows 11 CMD:


openssl version


RHEL, Fedora, Oracle, CentOS package manager:


rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n"` | grep openssl


Windows Powershell


Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue -Path "C:\" -Filter "libssl*"


Running processes running OpenSSL 3.x


sudo lsof -n | grep libssl.so.3


Remediation


Fixed in OpenSSL 3.0.7


A patch has been released in OpenSSL version 3.0.7 for the affected OpenSSL versions. CovertSwarm recommends updating affected installations of OpenSSL immediately.


https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a


References