OpenSSL vulnerability CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) Check Point Research Update

Initially published: 1:00 pm, Tuesday, 1 November 2022, Eastern Time (ET)
Last updated: 4.40 pm, Tuesday, 1 November 2022, Eastern Time (ET)

A tense week-long wait has come to an end, as the embargo has been lifted – we have two have new high severity vulnerabilities in OpenSSL.
These vulnerabilities can be tracked as:
CVE-2022-3602 (remote code execution) and CVE-2022-3786 (Denial of Service).
These two vulnerabilities affect OpenSSL versions 3.0.0 – 3.0.6 and are patched in the most recent release of version 3.0.7.

Check Point products are NOT vulnerable to latest OpenSSL vulnerabilities

Full details here

CloudGuard Appsec clients do need to follow these instructions to ensure that communication between CloudGuard AppSec and Check Point cloud is using a patched OpenSSL version.

What is happening now?

Check Point Research works with its worldwide operation to ensure that you have the best protection as soon as possible. We will also share insights on what is the impact of possible exploitation as more information becomes available.

What about tech vendors?

It’s time for the tech industry to upgrade all vulnerable products with the fix, so you don’t have to worry about threat actors who are working to weaponize the information gathered on these vulnerabilities. But don’t get us wrong – this is not an easy task, so expect it to take some time for some vendors.
Here you can view the list of vulnerable and non-vulnerable software – https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software?s=08
From the Log4j vulnerability to the OpenSSL vulnerability, we’re seeing an exponential increase in the rate and sophistication of cyberattacks globally. OpenSSL is the industry’s foundation for securing the internet –
enabling communications across email, websites, and web apps to be secure – which makes this threat potentially very dangerous. While the industry waited for today’s patch, our researchers’ team is uncovering and sharing as much information about the vulnerability as possible, to ensure our customers and partners are prepared.
Whatever happens in the cybersecurity space – any new vulnerability, threat, or malicious activity – we at Check Point are there to protect you with the best security you deserve.

What is OpenSSL?

OpenSSL is a commonly used code library designed to allow secured communication over the internet. Simply put, whenever we browse the internet, the website we browse or the online service we access utilizes OpenSSL at its very basic level.
Which means,  we will all need to be very alert to what the OpenSSL project team released. It touches broad aspects of our common usage of the internet.

What can be the risk?

The 2 new high-severity CVE’s refers to areas of Distribution Denial of Service(DDOS) and Remote Code Execution(RCE).
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
DDoS (Distributed Denial of Service) is a category of malicious cyber-attacks that hackers or cybercriminals employ in order to make an online service, network resource or host machine unavailable to
its intended users on the Internet. DDoS incidents are closely associated with botnets, where hackers take over command and control of thousands of Internet-connected devices, and then in coordinated attacks, direct all those devices to simultaneously send requests to the target.

CVE-2022-3602 – OpenSSL Remote Code Execution

Check Point Research shares technical information on what CVE-2022-3602 is all about. This information should serve the entire cyber security community and protect organizations around the globe.
As mentioned in our previous blog post, this vulnerability affects all OpenSSL versions between 3.0.0 and 3.0.6 and a fix is available on recent version 3.0.7.
We need to mention that OpenSSL downgraded the severity of this vulnerability to High instead of Critical after the release.

So what’s it all about?

CVE-2022-3602 vulnerability in OpenSSL occurs due to incorrect processing of Punycode while checking X.509 certificates.
Punycode is a representation of Unicode strings using the limited ASCII character subset. It is usually used to encode domain names containing non-ASCII characters, for example Japanese letters. A punycode-encoded string
begins with “xn--” and is followed by English characters and digits.
The vulnerable function ossl_punycode_decode may cause buffer overflow during Punycode string decoding. It is called when OpenSSL processes a certificate chain. In order to exploit vulnerability it is required to:
1) Craft a CA (certificate authority) certificate or Intermediary certificate that contains the “nameConstraints” field with a malicious Punycode string. The Punycode string must contain at least 512 bytes excluding “xn--”.
2) Craft a leaf certificate that contains a SubjectAlternateName (SAN) otherName field that specifies a SmtpUTF8Mailbox string

CVE-2022-3786 – Denial of Service

Buffer overflow occurs in the ossl_a2ulabel vulnerable function. When this function meets a Punycode part followed by a dot character (“.”) it also appends “.” to the output buffer even if it overflows its size.
This way, an attacker can overflow the output buffer by any number of “.” characters, which leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.

What can I do until further details are revealed?

In the meantime, organizations should stay alert and utilize security’s best practices, including patching and updating all systems to the latest operating system, and getting ready to update IPS once they become available.
Customer Guidance for reported security update OpenSSL 3.0.0 to 3.0.6 versions is available here
At any given moment, if you feel you’ve been breached or under attack contact our Emergency Response Hotline
In addition our worldwide Technical Assistance Centers are available to assist you 24 x 7.

https://blog.checkpoint.com/2022/11/01/openssl-vulnerability-cve-2022-3602-remote-code-execution-and-cve-2022-3786-denial-of-service-check-point-research-update/