OpenSSL Vulnerability Patch Released

On November 1, 2022, the OpenSSL Project team announced that they released the patch for a significant security vulnerability identified within version 3 of the OpenSSL library.

OpenSSL is a cryptographic software library that offers an open-source implementation of SSL/TLS protocols. It is used by vast numbers of applications, operating systems, and devices throughout the internet. Therefore, this vulnerability is likely to be extremely wide-reaching, and the update must be made immediately.

This vulnerability does not affect Sectigo certificates in any way, and therefore, no Sectigo certificates need to be revoked or replaced.

Vulnerability Patch Specifics

The patch fixes two bugs that were identified in these versions of OpenSSL: 3.0.0 to 3.0.6. Both bugs have to do with international domain names (non-ASCII characters), triggered by specifically malicious email addresses in digital certificates. It is also important to note that this patch was downgraded from ‘critical severity’ to ‘high severity,’ though it is still crucial that the update be made today.

According to OpenSSL, details of the bugs include:

• CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow): A buffer overrun can be triggered in X.509 certificate verifications, specifically in name constraint checking. This occurs after certificate chain signature verification and requires either a Certificate Authority to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the ‘.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).
• CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. This occurs after certificate chain signature verification and requires either a Certificate Authority to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.

Both of these vulnerabilities were fixed in OpenSSL 3.0.7. View the full details here and read OpenSSL’s blog post.

It is crucial enterprises that use OpenSSL 3.0.0 to 3.0.6 update their systems immediately, as these high severity vulnerabilities are likely to rapidly become targets. Please ensure the cybersecurity teams within your organization are aware of this vulnerability and are prepared to deploy the OpenSSL patch today.

You can also learn more about the vulnerability by listening to Root Causes 253: OpenSSL Vulnerability Explained.