OpenSSL downgrades email address bug from critical to high

By

Vulnerabilities introduced with punycode functionality in X.509 certificates.

The maintainers of the very popular OpenSSL cryptographic toolkit have revealed details of a serious vulnerabilities, one that was expected to be rated as critical, and downgraded it to high severity.

OpenSSL downgrades email address bug from critical to high

OpenSSL said the flaws, given the Common Vulnerabilities and Exposures (CVE) index of 2022-3786 and 2022-3602 were buffer overflow vulnerabilities which could allow malicious code to write to memory outside designated areas.

They only affect version 3.0.0 to 3.0.6 of OpenSSL and were introduced when punycode text encoding for domain hostnames was added, to process email addresses in digital X.509 authentication certificates.

Any OpenSSL 3.0 application that verifies X.509 certificates from untrusted sources should be considered vulnerable, including Transport Layer Security (TLS) clients and servers.

Originally, it was thought CVE-2022-3602 could be used for remote code execution via the cryptographic library toolkit which has been the target of several serious attacks over the years, inlcuding the infamous Heartbleed bug.

The CVE-2022-3786 was not rated as critical from the outset, OpenSSL said, with remote code not expected on any platform.

Thanks to testing and feedback, the OpenSSL project decided to mark both the above bugs as high severity.

"Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution," the project maintainers wrote.

"Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead," they added.

However, OpenSSL warns that it cannot know how every platform and compiler arranges memory buffers on the stack, and because of that, remote code execution could still be possible.

Users of OpenSSL 3-series software are advised to upgrade to 3.0.7 as soon as possible.

The flaws do not affect OpenSSL 1.0.2, 1.1.1 and other earlier versions; there is no need to replace TLS server certificates.

Until the vulnerable versions of OpenSSL 3.0.0 libraries have been upgraded, users can mitigate against the bug by disabling client TLS authentication.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Macquarie Uni to spend up to $700m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

Nissan A/NZ's outsourced cyber incident call centre breached

Nissan A/NZ's outsourced cyber incident call centre breached

Digital ID bill passes parliament

Digital ID bill passes parliament

Macquarie's banking CISO headed to Endeavour Group

Macquarie's banking CISO headed to Endeavour Group

Log In

  |  Forgot your password?