Get in Touch
RCE vulnerability in OpenSSL
Overview
OpenSSL has released an update which includes fixes for two high-severity buffer overflow vulnerabilities (CVE-2022-3786) and (CVE-2022-3602) which could potentially lead to remote code execution (RCE) or denial of service. OpenSSL is an open source library to implement TLS encryption which is used in many different web server software stacks.
The vulnerabilities are both buffer overflow issues in the certificate verification function. Exploiting them requires an attacker to generate a signed, malicious x.509 certificate. If the certificate is self-signed, then exploitation requires the application (or user) to choose to trust the certificate. Many platforms include mitigations which would prevent exploitation. For this reason, the severity has been downgraded to high from the initial, pre-release assessment of critical.
The vulnerability was added in OpenSSL version 3.0.0, released in September 2021.
Impact
A remote attacker may be able to run code or crash a vulnerable web server running recent versions of OpenSSL if the server requests client authentication from a malicious client.
A remote attacker may be able to execute code on a vulnerable device if a client can be induced to initiate a connection to a malicious server.
Vulnerability Detection
Check which version of OpenSSL is installed on Linux using the following command:
openssl version
On windows: Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue -Path "C:\" -Filter "libssl*"
Quorum Cyber Vulnerability Management customers will be notified of their results after their next scan. SOC customers will receive results from their threat hunts in the usual way.
More scanning tools are listed here.
Affected Products
NCSC-NL maintains a list of affected software here.
Containment, Mitigations & Remediations
Users of the OpenSSL 3.0.x branch should upgrade to OpenSSL 3.0.7.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Indicators of Compromise
None observed. No known exploitation in the wild.
Threat Landscape
An RCE in a widely used, public-facing library could have an incredibly high impact. Fortunately this vulnerability only affects a very limited subset of OpenSSL users and was noticed soon after its introduction. For comparison, the Heartbleed vulnerability (CVE-2014-0160) was introduced in 2012 and was present in production systems for years before the advisory was published in 2014.
Mitre Methodologies
T1190 – Exploit Public-Facing Application
Further Information
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
