CVE-2022-3602
Published: 01 November 2022
Summary
CVE-2022-3602 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A buffer overrun vulnerability exists in OpenSSL versions 3.0.0 through 3.0.6 during X.509 certificate verification, specifically in name constraint checking. The flaw occurs after signature verification of the certificate chain and allows an attacker-controlled email address to overflow four bytes on the stack. It affects both TLS clients and servers and is tracked as CWE-787 with a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can trigger the issue by presenting a malicious certificate. In a client context this occurs when connecting to a malicious server; in a server context it requires the server to request client authentication. Successful exploitation can produce a crash resulting in denial of service or, depending on platform stack protections and layout, potential remote code execution.
OpenSSL 3.0.7 contains the fix. Public advisories note that the original pre-announcement rating of CRITICAL was later reduced to HIGH because of existing stack overflow mitigations on many platforms, yet still urge prompt upgrade for all affected releases. The associated EPSS score reached a peak of 0.8609 and currently stands at 0.8351.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7287
Vulnerability details
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to…
more
continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.