CVE-2022-0778
Published: 15 March 2022
Summary
CVE-2022-0778 is a high-severity Infinite Loop (CWE-835) vulnerability in Nodejs Node.Js. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an infinite loop in the BN_mod_sqrt() function within OpenSSL when it processes non-prime moduli during parsing of elliptic curve parameters in compressed form. This affects OpenSSL 1.0.2, 1.1.1, and 3.0 series, where the function is invoked while handling ASN.1-encoded explicit curve parameters or compressed public keys inside certificates and private keys. The flaw is tracked as CWE-835 and carries a CVSS 3.1 score of 7.5 with high impact on availability.
An unauthenticated attacker can supply a malicious certificate or private key containing invalid explicit curve parameters to any process that parses such structures before signature verification completes. This triggers a denial-of-service condition in TLS clients accepting server certificates, TLS servers accepting client certificates, certificate authorities processing requests, hosting providers ingesting customer material, or any other application using the affected function with attacker-controlled inputs. In OpenSSL 1.0.2 the loop is reached only on subsequent public-key operations, but a self-signed certificate suffices to activate it during verification.
Official fixes were released on 15 March 2022 in OpenSSL 1.1.1n, 3.0.2, and 1.0.2zd. Vendor advisories, including Siemens SSA-712929, direct users to upgrade to these patched versions or apply the corresponding backports; no workarounds are documented beyond disabling support for explicit curve parameters where feasible.
EPSS scores rose from a low baseline to a recorded peak of 0.1040, indicating measurable post-disclosure exploitation interest before receding to the current value of 0.0754. No widespread in-the-wild campaigns have been reported beyond proof-of-concept artifacts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1575
Vulnerability details
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or…
more
explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.