Advisory: CVE-2022-3786 and CVE-2022-3602: X.509 OpenSSL Email Address Buffer Overflows – Inuvika

Advisory: CVE-2022-3786 and CVE-2022-3602: X.509 OpenSSL Email Address Buffer Overflows

Inuvika Update Regarding CVE-2022-3786 and CVE-2022-3602: X.509 (OpenSSL Email Address Buffer Overflows)

Overview

Affected versions of the OpenSSL package are vulnerable to Buffer Overflow. A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.

In a TLS client, this can be triggered by connecting to a malicious server.

In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Note: Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible.

Impact on OVD Enterprise

The identified issues do not directly impact OVD Enterprise service components. However, customers are advised to check the version of OpenSSL installed on their linux servers using the following command (with example output):

% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

This vulnerability will only affect OpenSSL 3.0.x not 1.1.1

Inuvika continues to review the situation and will advise our customers on any direct impacts on Inuvika products or services.

Current Recommendation for OVD Enterprise Customers

Inuvika recommends that customers follow IT best practices and perform vendor recommended maintenance updates as they are released.

Customers who use an affected OpenSSL 3.0.x version are advised to update to OpenSSL 3.0.7 as soon as possible.

After a patch is applied, verify that the component is performing as expected.

Resources

OpenSSL has released version 3.0.7 as of 1st November 2022: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

SANS Internet Storm Center: a List of affected Linux distributions
DistroWatch: a List of affected Linux distributions

Inuvika Support Resources

In the News

OpenSSL Advisory
OpenSSL Mailing List