On November 1, 2022, OpenSSL published version 3.0.7 to address a buffer overflow vulnerability in OpenSSL 3.0. The vulnerability exploits a weakness in the certificate verification functions and can be used to write arbitrary information to system memory.
What is the Risk of the OpenSSL Punycode Vulnerability?
The vulnerability was originally touted to be a critical risk-rated vulnerability but was downgraded to a high risk-rated vulnerability upon details being released. The vulnerability relies on some uncommon conditions including:
- The vulnerability exists in the certificate verification process for accepting client certificates which most TLS servers do not use or accept. Most servers only utilize server-side certificates.
- Other parts of the process can prevent the vulnerability from being triggered.
- Modern systems can have protections in place to prevent buffer overflows outside of the vulnerability.
What technology is affected by the OpenSSL Punycode Vulnerability?
OpenSSL is used in a number of major companies’ products and technologies including Canonical, Red Hat, VMWare, Node.js and AWS. Companies now are working to investigate whether they are running affected versions and issue patches if necessary. The positive is that there are two major versions of OpenSSL in use in production systems: 3.0 and 1.1.1. The 1.1.1 version of OpenSSL is not vulnerable to this potential attack and is more common in production systems.
How do I identify if the OpenSSL Punycode Vulnerability is on my network?
Freed Maxick’s cybersecurity team recommends due to the vulnerability having a high-risk rating that if it is found on a system that it is remediated within 30 days. For systems and networks that you have control of, it is recommended that a vulnerability scan be performed with special focus on discovering whether OpenSSL is in use on the system and whether or not it is a vulnerable version. Additionally, for any systems not directly under your company’s control, it is recommended that the listing maintained by National Cybersecurity Center of the Netherlands be referenced to determine if you have a system in use that is affected or currently under investigation. Once a fix has been released by the system vendor it is recommended that it be applied as soon as possible.
Freed Maxick’s cybersecurity team can provide expertise to your company to help augment your ability to identify and prioritize this vulnerability along with others through a comprehensive network vulnerability assessment and penetration test. Please reach out if you have any questions or are interested in discussing further.
OpenSSL Punycode Vulnerability Resources:
OpenSSL Published Details: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
NCSC-NL Listing: https://github.com/NCSC-NL/OpenSSL-2022
CVE-2022-3602 National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-3602
CVE-2022-3786 National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-3786