#VU68895 Buffer overflow in OpenSSL


Published: 2022-11-01 | Updated: 2022-12-18

Vulnerability identifier: #VU68895

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2022-3602

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing the email address field inside  X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a 4-byte buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that either a CA signs the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.6


CPE

External links
http://www.openssl.org/news/secadv/20221101.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability