Last week, the OpenSSL team announced the color: a critical security flaw will be fixed on November 1, 2022! Now, OpenSSL 3.0.7 is available and this version fixes two security vulnerabilities with a high risk! Let’s do a check in.
These two critical security flaws, associated with references CVE-2022-3602 et CVE-2022-3786affect only OpenSSL 3.0.0 and above. Some products rely on OpenSSL, but via the 1.X branch, and in this case, they are not affected by these two vulnerabilities. For those who use a 3.0.X version of OpenSSL, it is necessary to upgrade to version 3.0.7 as soon as possible.
In summary, keep in mind:
- OpenSSL versions from 3.0.0 to 3.0.6 are vulnerable
- OpenSSL versions 1.1.1 and 1.0.2 are not affected
- OpenSSL 3.0 users should migrate to OpenSSL 3.0.7
Here is some additional information about these two vulnerabilities:
- CVE-2022-3602 – Buffer overflow vulnerability”4 octets” in the X.509 certificate verification process – May lead to denial of service or remote code execution
- CVE-2022-3786 – Buffer overflow vulnerability”variable length” X.509 certificate verification process – May lead to denial of service
According to the OpenSSL security bulletin, an attacker can exploit these vulnerabilities by using a malicious certificate-level email address. In this case, it is the customer who visits the website where the certificate is implemented who can be directly impacted. “With a TLS client, this can be triggered by connecting to a malicious server. With a TLS server this can be triggered if the server asks for client authentication and a malicious client connects.”
Should we be worried?
When the OpenSSL team issued their alert a few days ago, the vulnerability was rated as critical. Now, the impact seems more limited and as proof, these two vulnerabilities have a high level of criticality, and not critical. To date, there is at least one public PoC exploit, but it allows crashing the vulnerable system, not executing code remotely.
For now, OpenSSL 3.0 is not widely used and the impact would be much greater if versions 1.1.1 and 1.0.2 were affected. It’s not, and that’s good. Wiz.io website talks about these new vulnerabilities in a blog post and there is also an interesting graph that shows this trend on the use of the different versions.
Finally, if you use a Linux distribution such as Debian, Ubuntu, Kali Linux or even Fedora, remember to check if an OpenSSL update is available on your system.
Logiciel – OS,Sécurité,OpenSSL,