Last updated at Wed, 02 Nov 2022 21:00:42 GMT

The Rapid7 research team will update this blog post as we learn more details about this vulnerability and its attack surface area.

The OpenSSL project released version 3.0.7 on November 1, 2022, to address CVE-2022-3786 and CVE-2022-3602, two high-severity vulnerabilities affecting OpenSSL’s 3.0.x version stream discovered and reported by Polar Bear and Viktor Dukhovni. OpenSSL is a widely used open-source cryptography library that allows for the implementation of secure communications online; this includes generating public/private keys and use of SSL and TLS protocols. (Currently, only the 1.1.1 and 3.0 version streams of OpenSSL are supported). The OpenSSL team warned maintainers and users on October 25 that a critical flaw was on the way — only the second to ever impact the product. Upon release, however, neither vulnerability carried a critical severity rating.

CVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities in OpenSSL versions below 3.0.7 that both rely on a maliciously crafted email address in a certificate. They differ in two crucial ways: CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the "." character (a period), leading to denial of service, while CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack. OpenSSL has a blog available here.

According to the OpenSSL advisory, the vulnerability occurs after certificate verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. In other words, exploitability is significantly limited:

  • In the case where a server is the target (a webserver, database server, mail server, etc): The server must first request client authentication as part of a mutual authentication configuration. This is an unusual configuration, and usually specialized to higher-security use cases.
  • In the case where a client is the target (web browser, email reader, database connector, etc): The attacker would need to first coerce a vulnerable client to connect to a malicious server. This could be done through impersonation (MitM on the network, hijacking an existing resource, etc) or by providing an incentive for a person to click a link (through phishing, watering holes, etc).

For both scenarios, these kinds of attacks do not lend themselves well to widespread exploitation.

Once again, these vulnerabilities only affect the OpenSSL 3.0.x version stream, which has not yet been widely adopted. We are not aware of any exploitation in the wild at the time of the vulnerability’s release on November 1, 2022.

Affected products

  • OpenSSL versions 3.0.0 to 3.0.6 (fixed in 3.0.7)

A broad array of popular distributions and technologies use OpenSSL in their offerings, including many widely used Linux distributions. OpenSSL 1.x, which is unaffected, is still the most popular version stream in use. Major distribution maintainers will likely have individual updates out quickly, but we expect a long tail of advisories and trailing fixes as vendors update additional implementations. Community tracking efforts like this one from Royce Williams, or government tracking efforts like this one from NCSC-NL may also be helpful for following individual vendor impact or remediation communications.

Mitigation guidance

Organizations that are running an affected version of OpenSSL should update to 3.0.7 when practical, prioritizing operating system-level updates and public-facing shared services with direct dependencies on OpenSSL. Emergency patching is not indicated.

Rapid7 customers

The November 1 content release for Nexpose and InsightVM contained two sets of checks for CVE-2022-3786 and CVE-2022-3602:

  • Vulnerability identifiers openssl-cve-2022-3602 and openssl-cve-2022-3786 have authenticated checks based on the output of the openssl version command (generic across Linux distributions and other Unix-like OSes, and requiring the openssl command to be on the PATH of the scanning account).
  • Vulnerability identifiers http-openssl-cve-2022-3602 and http-openssl-cve-2022-3786 do not require authentication, and will report vulnerable against any web server returning an HTTP response header that indicates it is configured with a vulnerable version of OpenSSL.

As Linux vendors or other software products supported as part of our recurring coverage publish advisories (e.g. USNs, RHSAs, DSAs), we will supplement the above coverage with distribution-specific checks.


November 2, 2022 5pm EDT: Added links to Rapid7 AttackerKB analysis for CVE-2022-3786 and CVE-2022-3602.