Overview
On November 1 the OpenSSL Project released patches addressing the previously rated "Critical" vulnerability that was pre-announced last week. The "Critical" rating has been downgraded to "High."
The vulnerability was
CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow
In the case of CVE-2022-3602, the maliciously crafted email address allows the attacker to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially allow remote code execution.
CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow
In the case of CVE-2022-3786, the maliciously crafted email address allows the attacker to overflow an arbitrary number of bytes containing the `.' character on the stack resulting in a crash/DoS attack.
Attack scenarios
In a TLS client, the vulnerability can be exploited by connecting to a server using a maliciously crafted and signed certificate. This only affects a TLS server if it uses client authentication of the TLS connection and a client with a maliciously crafted certificate connects.
Mitigating circumstances
The malicious certificate requires a valid CA signature in order to pass certificate chain signature verification. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution in the case of CVE-2022-3602. The OpenSSL Project is not aware of any working exploit that could lead to remote code execution, and there is no evidence of this issue being exploited as of the time of release of this advisory (November 1, 2022). 3.x versions of OpenSSL only represent ~1.5% of installations, according to Wiz Labs.
Affected Versions
OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue and all OpenSSL 3.x users should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
References
https://www.openssl.org/news/secadv/20221101.txt
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
Trustwave Response
While there is no active exploit, Trustwave is currently monitoring the situation to make sure that our customers are protected against attacks targeting this vulnerability. We will update this post as more information comes in.