OpenSSL has released fixes for two high-severity vulnerabilities in its cryptographic library. The vulnerabilities tracked as CVE-2022-3602 and CVE-2022-3786 could result in denial of service and remote code execution. This can in turn lead to disruption of services, the execution of malware targetted machines, as well as complete device takeover.
CVE-2022-3602 and CVE-2022-3786
Both CVE-2022-3602 and CVE-2022-3786 are buffer overrun vulnerabilities that can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker could exploit this vulnerability by creating a malicious email address to cause a buffer overflow that could result in a crash. CVE-2022-3602 originally received a critical rating, but this severity has since been adjusted to high, the same as CVE-2022-3786. This is because many modern platforms have stack overflow protections which would mitigate the risk of remote code execution.
At the time OpenSSL published their advisory, there were no reports of the vulnerabilities being exploited in the wild. You can find more details in the security advisory and blog published by OpenSSL.
Upgrade to OpenSSL Version 3.0.7
The vulnerabilities described above are affecting OpenSSL version 3.0.0 to 3.0.6. All OpenSSL 3.0 users are advised to update their installations to the newly released version 3.0.7. Versions 1.1.1 and 1.0.2 are not affected by this issue. The Netherlands' National Cyber Security Centre also created a list of all software products that are affected or unaffected by the OpenSSL vulnerability. It is advisable to check this list as well.
Discover Vulnerable Devices
The link below will take you to a special report, created by the Lansweeper team, that will provide you with a list of all non-pre-release Linux distributions that are or have been vulnerable or have not yet been confirmed to be not affected yet. This way you can easily locate any installs that are at risk and still need to be updated.
Alternatively, you can also use the OpenSSL Audit report, which gives you a more general list of all OpenSSL installations and their details, including the version number.