Inuvika Update Regarding CVE-2022-3786 and CVE-2022-3602: X.509 (OpenSSL Email Address Buffer Overflows)
Visión general
Affected versions of the OpenSSL package are vulnerable to Buffer Overflow. A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.
In a TLS client, this can be triggered by connecting to a malicious server.
In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
Note: Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible.
Impacto en la empresa OVD
The identified issues do not directly impact OVD Enterprise service components. However, customers are advised to check the version of OpenSSL installed on their linux servers using the following command (with example output):
% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
This vulnerability will only affect OpenSSL 3.0.x not 1.1.1
Inuvika sigue revisando la situación y asesorará a nuestros clientes sobre cualquier impacto directo en los productos o servicios de Inuvika.
Recomendación actual para clientes de OVD Enterprise
Inuvika recomienda que los clientes sigan las mejores prácticas de TI y realicen las actualizaciones de mantenimiento recomendadas por el proveedor a medida que se publiquen.
Customers who use an affected OpenSSL 3.0.x version are advised to update to OpenSSL 3.0.7 as soon as possible.
Después de aplicar un parche, compruebe que el componente funciona como se espera.
Recursos
OpenSSL has released version 3.0.7 as of 1st November 2022: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
SANS Internet Storm Center: a List of affected Linux distributions
DistroWatch: a List of affected Linux distributions
Inuvika Recursos de apoyo
En las noticias
OpenSSL Advisory
OpenSSL Mailing List