Skip to content

OpenSSL 3.0.x affected by two high severity vulnerabilities- 202211030001

Overview

The Office of Digital Government (DGov) become aware that a buffer overflow vulnerability (CVE-2022-3786) and a buffer overrun vulnerability (CVE-2022-3602) has been identified in OpenSSL versions above 3.0.x. OpenSSL is a widely used cryptographic and secure communication software library. OpenSSL is available on all Operating Systems (OS). DGov recommends organisations running OpenSSL 3.0.x in their environment patch immediately to OpenSSL 3.0.7 to avoid exploitation

What is the threat?

Exploitation of this vulnerability could allow a malicious actor to gain remote code execution rights on the host running OpenSSL and perform unauthorised actions. Additionally, a malicious email address can be crafted to exploit the vulnerabilities and cause a crash (denial of service).

What is the vulnerability ?

  • CVE-2022-3602 - High Severity - A buffer overrun vulnerability triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.

  • CVE-2022-3786 - High Severity - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the ‘.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

What is vulnerable ?

The following versions of OpenSSL have been deemed vulnerable.

  • OpenSSL versions 3.0.0 to 3.0.6. Earlier releases of OpenSSL are not vulnerable.

These vulnerabilities have been addressed in OpenSSL 3.0.7.

What has been observed ?

DGov WA is monitoring the situation, and is not aware of attempted exploitation of these vulnerabilities in Western Australia. There is currently no evidence of exploitation in Western Australia networks.

Recommendation

The Cyber Security Unit recommends Western Australian government organisations immediately:

  • Review the OpenSSL security advisory blog.

  • Review the ACSC blog on the vulnerabilities

  • If vulnerable, download and install OpenSSL 3.0.7 immediately to avoid exploitation.

  • The NCSC-NL are maintaining a software list to track various popular software vendors products vulnerability status regarding these vulnerabilities. It can be viewed here.

  • Notify the Office of Digital Government, Cyber Security Unit via Incident Reporting Portal (IRP) if any evidence found.