Looking at this week’s OpenSSL announcement regarding the vulnerability CVE-2022-3602 found in OpenSSL versions 3.0.x – 3.6.x, we can all breathe a sigh of relief.
OpenSSL is by far the most common encryption used globally, appearing in millions of applications. This is the first time the OpenSSL gave advanced warning of a critical patch. The industry was concerned about remembering the OpenSSL Heartbleed vulnerability disclosed in April 2014 – which in that case was exploitable on every version and instance of OpenSSL running at that time.
In this week’s case, the issue was initially rated CRITICAL before release. Considering OpenSSL’s severity categories, this meant the problem would have affected standard configurations and be widely exploitable. Fortunately, upon release, OpenSSL downgraded the severity to HIGH, meaning it only affected fewer, less common configurations and would be less likely to be exploitable.
Tracked as two separate bugs, CVE-2022-3602 and CVE-2022-3786, both patched in OpenSSL version 3.07, details of the vulnerabilities point to buffer overruns that can be triggered by email servers running X.509 certificate verification. This buffer overflow could cause a crash, causing a denial of service, or potentially remote code execution. This means only those running OpenSSL versions 3.0.x – 3.6.x on email servers, email security gateway appliances/apps, and email clients doing X.509 certificate authentication are susceptible. Another mitigating factor is that many platforms implement stack overflow protections that would mitigate the risk of remote code execution.
While some chuckle at OpenSSL for initially grading the issue as CRITICAL and then downgrading it to HIGH, I applaud their caution and quick turnaround from announcement to fix.
Let Cymulate Help!
We have created an Advanced Scenario that allows our customers to test existing OpenSSL instances to see if they are vulnerable to these two CVEs.
See the Cymulate Hub for instructions.
If you are not a customer, Cymulate security validation experts will be more than happy to guide you so you can test as well.