Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Denial of Service and RCE in OpenSSL 3.0 (CVE-2022-3786 and CVE-2022-3602)

Overview

On November 1 the OpenSSL Project released patches addressing the previously rated "Critical" vulnerability that was pre-announced last week. The "Critical" rating has been downgraded to "High."

The vulnerability was split between two CVEs (both rated "High"), CVE-2022-3786 and CVE-2022-3602. Both vulnerabilities affect how a TLS server or client verify an X.509 certificate, specifically the email address. In order to exploit the vulnerability, the attacker requires a specifically crafted X.509 certificate that contains a specially crafted email address. Upon attempting to verify the X.509 certificate, the email field can cause a memory overrun issue that can allow the attacker to crash the TLS software, potentially embedding and executing attacker-controlled code.

CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow

In the case of CVE-2022-3602, the maliciously crafted email address allows the attacker to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially allow remote code execution.

CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow

In the case of CVE-2022-3786, the maliciously crafted email address allows the attacker to overflow an arbitrary number of bytes containing the `.' character on the stack resulting in a crash/DoS attack.

Attack scenarios

In a TLS client, the vulnerability can be exploited by connecting to a server using a maliciously crafted and signed certificate. This only affects a TLS server if it uses client authentication of the TLS connection and a client with a maliciously crafted certificate connects.

Mitigating circumstances

The malicious certificate requires a valid CA signature in order to pass certificate chain signature verification. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution in the case of CVE-2022-3602. The OpenSSL Project is not aware of any working exploit that could lead to remote code execution, and there is no evidence of this issue being exploited as of the time of release of this advisory (November 1, 2022). 3.x versions of OpenSSL only represent ~1.5% of installations, according to Wiz Labs.

Affected Versions

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue and all OpenSSL 3.x users should upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

References

https://www.openssl.org/news/secadv/20221101.txt

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Trustwave Response

While there is no active exploit, Trustwave is currently monitoring the situation to make sure that our customers are protected against attacks targeting this vulnerability. We will update this post as more information comes in.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More