Updated: November 9, 2022
Overview
The OpenSSL project recently disclosed a critical vulnerability in the OpenSSL library for version 3.0.0 through 3.0.6, specifically for a bug in the X.509 Certificate. OpenSSL is an encryption library widely used across on-premises, in SaaS applications, datacenter servers, critical endpoints, and in IoT infrastructures. Open SSL is found in commercial and government organizations. Called CVE-2022-3062, this 4-byte buffer overflow vulnerability can be exploited by attackers to crash the device and cause a Denial of Service (DoS) attack or create a Remote Code Execution (RCE).
Background on the Risk
Remote Code Execution (RCE) is the attacker’s ability to access someone else’s computing device and make changes, no matter where the device is geographically located. After gaining system access, attackers usually elevate the privileges to gain “super-user” capabilities to cause more damage like install malware or delete data. Software vendors release regular software patches to overcome vulnerabilities such as RCEs.
The OpenSSL version 3.0.7 corrects this buffer overflow vulnerability issue.
While this vulnerability does not impact Netsurion’s infrastructure or platform, we are providing insights and remediation guidance to our customers, partners, and the industry at large in the spirit of cooperation.
Further Background on OpenSSL
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including many HTTPS websites. OpenSSL contains an open-source implementation of the SSL and TLS protocols. It is available for most UNIX-like operating systems (including Linux, macOS, and BSD) as well as Microsoft Windows.
Impact
This vulnerability affects the following use cases:
- OpenSSL version 3.0.0 to version 3.0.6
The 4 bytes of buffer overflow can lead to the overflow of a stack, which can cause a remote code to be executed by an attacker. For example, a cyber criminal can craft a specific email address to make sure there is a buffer overflow and the code is executed in the victim’s module.
The 3.x version of OpenSSL was recently released in 2021 so there are many more devices and organizations using OpenSSL 1.x and 2.x at this time, which remain unaffected.
Exploit Overview
Upon further analysis, Netsurion has identified that the scenarios where this exploit can occur are fairly specific, but are still considered dangerous. This OpenSSL vulnerability requires either a Certificate Authority (CA) to have signed a malicious certificate, or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. CA’s are very careful in signing a certificate – they will not sign an unauthorized or unknown certificate. A buffer overflow will not occur if a trusted path is not constructed from the issuer of a CA.
Refer to the OpenSSL 3.0 Advisory for more details on the implications of the detected vulnerability.
Applicable Versions
- Any server, platform, or operating system using OpenSSL version 3.0.0 to version 3.0.6
Note that the original OpenSSL 3.x risk rating of Critical, but that has been downgraded to a High Severity cybersecurity vulnerability following industry feedback.
Mitigations
OpenSSL version 3.0 and higher should be updated to version 3.0.7 where the issue has been fixed. There is no impact to OpenSSL versions 1.0 and 2.0. Further mitigations and workarounds may be released in the future if/when active exploits occur.
Best Practices
At this stage, neither Netsurion nor the OpenSSL project are aware of any active exploits in the wild, but that could change rapidly. Best practices to mitigate this vulnerability include:
- To stay protected against CVE-2022-3062 exploits and OpenSSL vulnerabilities, it is important than any users of OpenSSL 3.x patch their devices and systems.
- To determine what version of OpenSSL you have installed, use this command:
Openssl version- Watch for vendor-specific guidance regarding any software impacts due to OpenSSL 3.x.
- Ensure that Netsurion’s sensor is installed on all devices.
Netsurion Detection and Response
Our security experts have determined that at this time, no Netsurion products and services have been found to be impacted by CVE-2022-3602.
Netsurion’s Security Operations Center (SOC) is closely monitoring the OpenSSL situation for updates and any potential exploits by cyber criminals. We will update this Threat Advisory with any future details and attack surface reduction tips.
Detection by Netsurion IDS
Netsurion IDS is updated with the CVE-2022-3602- OpenSSL Punycode exploit signature. Our SOC will detect and perform further investigation for the customers who have opted for our IDS service.
- EXPLOIT Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Inbound (CVE-2022-3602)
- EXPLOIT Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Outbound (CVE-2022-3602)
Detection by Netsurion Vulnerability Management
The Vulnerability Management signature database is updated with OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786. Our SOC will detect and report vulnerable endpoints.
Contact your Netsurion Account Manager with any questions.
References:
- OpenSSL Advisory: https://www.openssl.org/news/secadv/20221101.txt
- OpenSSL FAQs: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
- CISA Update: https://www.cisa.gov/uscert/ncas/current-activity/2022/11/01/openssl-releases-security-update
- Bleeping Computer notice: https://www.bleepingcomputer.com/news/security/openssl-fixes-two-high-severity-vulnerabilities-what-you-need-to-know/