3 NOV 2022
Two new buffer overflow vulnerabilities with the formal assignments of CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”) and CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) has just been disclosed in Open SSL version 3.0.0 to 3.0.6.
Both vulnerabilities are rated as High.
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping. It is widely used by Internet servers, including the majority of HTTPS websites and in security technology it is used to protect against Internet intrusions. OpenSSL contains an open-source implementation of the SSL and TLS protocols.
A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field (OID 220.127.116.11.18.104.22.168.9) resulting in a crash (Denial of Service - DoS) or potential remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects, or if a client connects to a malicious server, which would then make the client vulnerable.
CVE-2022-3602 is assigned for a 4-byte buffer overflow (single unsigned int overwrite) resulting in a crash or remote code execution. However, CVE-2022-3786 refers to the variable length overflow variant in the X.509 email address field with the potential to result in crashes.
- OpenSSL versions 3.0.0 to 3.0.6. Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable.
To validate what version of OpenSSL that may have deployed, administrators may utilize the following command:
** Please note this command is only for installed versions of OpenSSL and would not cover specific libraries that may be embedded or included as part of commercial applications.
Administrators should check with their application vendors for updated information on potential packages that may need updates.
- TLS clients, and TLS servers that are configured to use TLS client authentication.
Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. Please do ask for an updated version if your copy of OpenSSL comes from your Operating System vendor or other third party.
TLS servers may want to consider disabling TLS client authentication until fixes are applied.