OpenSSL has announced critical updates addressing two high-severity vulnerabilities within its cryptographic library. These flaws, identified as CVE-2022-3602 and CVE-2022-3786, pose risks of denial-of-service (DoS) attacks and potential remote code execution (RCE). The vulnerabilities stem from buffer overrun issues that can be exploited during the verification of X.509 certificates, typically by supplying maliciously crafted email addresses.
The advisory from OpenSSL specifies that the vulnerabilities could be exploited in situations involving both TLS clients and servers. For instance, an attacker may initiate a DoS by masquerading as a malicious server, or through client authentication requests where the client’s certificate is designed to exploit the vulnerabilities. The library version range affected includes 3.0.0 to 3.0.6, with remediation provided in version 3.0.7; notably, OpenSSL 1.x versions remain unaffected.
Data released by Censys indicates approximately 7,062 hosts utilizing vulnerable OpenSSL versions as of October 30, 2022, with prominent numbers found in countries such as the United States, Germany, and Japan. As such, organizations located in these nations should prioritize updates to reduce their exposure to these vulnerabilities.
While initially classified as critical, the severity assessment for CVE-2022-3602 was later downgraded to high, due to the stack overflow protections available in modern operating systems. However, both vulnerabilities have been recognized as serious, and OpenSSL encourages affected users to upgrade promptly.
Security experts have noted that exploitation of these vulnerabilities is significantly constrained. As articulated by Rapid7, attackers face challenges as the vulnerabilities only manifest post-certificate verification. To take advantage of them, a malicious certificate must be trusted or signed by a certificate authority, complicating the exploitation landscape. Implementations requiring mutual authentication are particularly urged to expedite the patching process.
The context of these vulnerabilities is further highlighted by the built-in security measures found in many modern systems, which may diminish the likelihood of successful exploitation. The complexity involved in crafting appropriately malformed certificates further limits their potential impact, as pointed out by industry experts.
OpenSSL, essential for secure communications, is incorporated into various operating systems and software packages, including several distributions of Linux. Docker has also alerted that around 1,000 image repositories may contain vulnerable versions, thus impacting numerous applications deployed in containerized environments.
While the disclosed vulnerabilities are severe, experts stress that they do not necessitate the revocation or reissuing of Cryptographic certificates. The focus remains on swiftly updating the affected OpenSSL library to safeguard systems against potential threats. Given the extensive use of OpenSSL, it is crucial for organizations to take proactive measures in line with the MITRE ATT&CK framework, particularly around initial access and privilege escalation tactics, to fortify their security posture against these newly identified risks.