Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

How to stop high-severity vulnerabilities in OpenSSL

Check Point has found two high-severity vulnerabilities in OpenSSL code that could leave businesses open to possible exploitation, just through common usage of the internet.

user icon
Tue, 08 Nov 2022
How to stop high-severity vulnerabilities in OpenSSL
expand image

Check Point researchers are encouraging all organisations to patch and upgrade all vulnerable tech products to dodge threat actors who are working to weaponise the information gathered on these vulnerabilities.

The OpenSSL project team announced the forthcoming release of their next version is expected to include a fix for a “critical security vulnerability”.

According to OpenSSL Project, the critical vulnerability is able to “affect common configurations and which are also likely to be exploitable”.

The vulnerabilities can be tracked as CVE-2022-3602 (remote code execution) and CVE-2022-3786 (denial of service), according to Check Point researchers.

The two vulnerabilities affect OpenSSL versions 3.0.0 – 3.0.6 and are patched in the most recent release of version 3.0.7.

The Check Point researchers further explain that OpenSSL is a commonly used code library designed to allow secure communication over the internet. Whenever we browse the internet, the website we browse or the online service we access utilises OpenSSL at its very basic level.

The two new high-severity CVEs refer to areas of distributed denial of service (DDOS) and remote code execution (RCE).

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

DDoS (distributed denial of service) is a category of malicious cyber attacks that hackers or cyber criminals employ in order to make an online service, network resource or host machine unavailable to its intended users on the internet.

DDoS incidents are closely associated with botnets, where hackers take over command and control of thousands of internet-connected devices and then, in co-ordinated attacks, direct all those devices to simultaneously send requests to the target.

According to Lotem Finkelstein, director of threat intelligence and research area at Check Point: “From the Log4j vulnerability to the OpenSSL vulnerability, we’re seeing an exponential increase in the rate and sophistication of cyber attacks globally.

“OpenSSL is the industry’s foundation for securing the internet — enabling communications across email, websites, and web apps to be secure — which makes this threat potentially very dangerous.

“The revelation is that this vulnerability is capable of remote code execution, posing high-risk for any SSL-encrypted product.”

The CVE-2022-3602 vulnerability in OpenSSL occurs due to incorrect processing of Punycode while checking X.509 certificates.

Punycode is a representation of Unicode strings using the limited ASCII character subset. It is usually used to encode domain names containing non-ASCII characters, for example, Japanese letters. A Punycode-encoded string begins with “xn--” and is followed by English characters and digits.

The vulnerable function ossl_punycode_decode may cause buffer overflow during Punycode string decoding. It is called when OpenSSL processes a certificate chain.

In order to exploit vulnerability, it is required to:

  1. Craft a CA (certificate authority) certificate or intermediary certificate that contains the “nameConstraints” field with a malicious Punycode string. The Punycode string must contain at least 512 bytes excluding “xn--”.
  2. Craft a leaf certificate that contains a SubjectAlternateName (SAN) otherName field that specifies a SmtpUTF8Mailbox string

For CVE-2022-3786, buffer overflow occurs in the ossl_a2ulabel vulnerable function.

When this function meets a Punycode part followed by a dot character (“.”), it also appends “.” to the output buffer even if it overflows its size.

This way, an attacker can overflow the output buffer by any number of “.” characters, which leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.

Check Point researchers advise all enterprises should stay alert and implement best security practices, including patching and updating all systems to the latest operating system and getting ready to update IPS once they become available.

Finkelstein noted that “we are all now in a security race”.

“Check Point will provide a virtual patch to give our technology vendors the proper time to update their open SSL libraries.

“Users should be protected until further updates are available,” Finkelstein added.

[Related: New federal budget set to bolster nation’s cyber resilience]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.