[German]The update to OpenSSL 3.0.7 is now available on the project's pages. With this, the team of OpenSLL developers has the new version announced a few weeks ago for November 1, 2022. The announcement of the update to version 3.0.7 attracted attention because it is supposed to close a vulnerability classified as critical. However, the whole thing has probably not become quite that critical.
What is OpenSSL?
OpenSSL is a widely used code library that enables secure communication over the Internet. OpenSSL includes implementations of the network protocols and various encryptions, as well as the openssl program for the command line to request, generate and manage certificates (see). Anyone who surfs the Internet, visits a website or accesses an online service uses OpenSSL.
OpenSSL 3.0.7 fixes vulnerability
In the blog post Note OpenSSL 3.0.7 with patch for vulnerability on Nov. 1, 2022 announced, I had pointed out that the new version of the library should contain a security fix that is classified as critical. Now the OpenSSL project has submitted a security advisory that reveals details.
CVE-2022-3602: X.509 email address 4-byte buffer overflow
A buffer overflow can be triggered, especially during name restriction checking, when checking X.509 certificates. However, this only occurs after the certificate chain signature has been verified and requires that either a CA must have signed the malicious certificate or that the application continues certificate validation even though it has no path to a trusted issuer. This issue was reported by Polar Bear to OpenSSL on October 17, 2022.
An attacker can create a malicious email address to drop four bytes on the stack and then trigger a buffer overflow. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered when the server requests client authentication and a malicious client connects. This buffer overflow can cause a crash (causing a denial of service) or possibly allow remote code execution.
Many platforms have protections against a stack overflow that limit risk of remote code execution. In the preliminary announcements for CVE-2022-3602, this issue was classified as CRITICAL. Further analysis based on some of the mitigating factors described above has resulted in this issue being downgraded to HIGH. Users are still advised to upgrade to a new version as soon as possible.
CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow
A buffer overflow can occur when checking X.509 certificates, especially when checking name constraints. Note that this occurs after certificate chain signature verification and requires that either a CA has signed a malicious certificate or that an application continues certificate verification even though no path to a trusted
An attacker can insert a malicious email address into a certificate to overwrite any number of bytes containing the `.' character on the stack. This buffer overflow could cause a crash (resulting in a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. The vulnerability is rated Severity High and was reported on October 18 by Viktor Dukhovni.
Only OpenSSL versions 3.0.0 through 3.0.6 are vulnerable to both vulnerabilities. So far, there is no known working exploit for the two CVEs that could lead to code execution or exploitation. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by these vulnerabilities.
Thus, the vulnerability issue turns out to be not as critical as originally feared. The updated source code of the project can be found on this project page. It can be assumed that affected Linux distributions and the manufacturers of affected software products will soon provide appropriate security updates. As an end user, the only option is to wait for such updates from the software manufacturers and then install them.
Cookies helps to fund this blog: Cookie settings