#VU68895 Buffer overflow in OpenSSL


Published: 2022-11-01 | Updated: 2022-12-18

Vulnerability identifier: #VU68895

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2022-3602

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing the email address field inside  X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a 4-byte buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that either a CA signs the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.6

CPE

External links
http://www.openssl.org/news/secadv/20221101.txt

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Aspera faspio Gateway
IBM AIX update for OpenSSL
Multiple vulnerabilities in Hitachi Energy PCU400
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in Hitachi Energy Lumada Asset Performance Management
Multiple vulnerabilities in several Siemens Products
Multiple vulnerabilities in IBM API Connect
Multiple vulnerabilities in Dell Command | Integration Suite for System Center
Multiple vulnerabilities in Dell Command | Intel vPro Out of Band
Multiple vulnerabilities in Dell Virtual Storage Integrator for VMware vSphere Client