Two security flaws in OpenSSL versions 3.0–3.0.6 were recently disclosed by the OpenSSL Project (first released in September 2021). Users are advised to upgrade to OpenSSL 3.0.7, which contains patches for the vulnerabilities CVE-2022-3786 and CVE-2022-3602, which were reduced from “critical” to “high,” and which affect X.509 email address buffer overflows.
OpenSSL is a free and open-source library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols to encrypt data in transit over an insecure network, such as the Internet.
What are the OpenSSL 3.0 vulnerabilities?
One vulnerability that can lead to a denial of service is CVE-2022-3786, which affects X.509 email addresses and their variable length buffer overflows. There is a vulnerability in X.509 email addresses (CVE-2022-3602) that might lead to a denial of service and, in extreme cases, remote code execution due to a 4-byte buffer overflow (the circumstances were not detailed).
Due to the low likelihood of exploiting CVE-2022-3602 under “common situations,” the OpenSSL Project lowered the severity of the issue from critical to high.
How do the vulnerabilities work?
The OpenSSL advisory states, “A buffer overrun can be triggered in X.509 certificate verification, especially in name constraint checks. Keep in mind this happens after the certificate chain signature verification process has completed and necessitates either the malicious certificate being issued by a CA or the application continuing to verify certificates despite the inability to create a path to a trusted issuer. Using a specially crafted email address, an attacker can cause a stack overflow in which they have control of the first four bytes. This buffer overflow might cause the application to crash (resulting in a denial of service) or even allow remote code execution.
“Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler…
“In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”
CVE-2022-3602 – OpenSSL Remote Code Execution
The OpenSSL CVE-2022-3602 vulnerability is caused by the wrong way Punycode is handled when checking X.509 certificates.
Punycode is a way to represent Unicode strings with the limited set of ASCII characters. It is usually used to encode domain names with characters that are not ASCII, like Japanese letters. A string that is encoded in punycode starts with “xn—” and then has English letters and numbers after it.
When a Punycode string is decoded, the function ossl punycode decode could cause a buffer overflow. When OpenSSL processes a certificate chain, it is called. To take advantage of a weakness, it is necessary to:
1) Craft a CA (certificate authority) certificate or Intermediary certificate that contains the “nameConstraints” field with a malicious Punycode string. The Punycode string must contain at least 512 bytes excluding “xn--”.
2) Craft a leaf certificate that contains a SubjectAlternateName (SAN) otherName field that specifies a SmtpUTF8Mailbox string
CVE-2022-3786 – Denial of Service
Buffer overflow occurs in the ossl_a2ulabel vulnerable function. When this function meets a Punycode part followed by a dot character (“.”) it also appends “.” to the output buffer even if it overflows its size.
This way, an attacker can overflow the output buffer by any number of “.” characters, which leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.
Is your organization at risk?
Only applications that use OpenSSL 3.0 are at risk.
It has been determined by the OpenSSL Security Team that: “The bugs were introduced as part of punycode decoding functionality (currently only used for processing email address name constraints in X.509 certificates). This code was first introduced in OpenSSL 3.0.0. OpenSSL 1.0.2, 1.1.1, and other earlier versions are not affected.”
OpenSSL version 3.0.7 has been released to address these vulnerabilities. Downloads for the new release can be found here.
Read more here