This vulnerability is related to X.509 Email Address Buffer Overflow. Especially when handling Punycode, a X.509 certificate verification name constraint check feature introduced in OpenSSL 3.0.0, overflow may occur.
- Algorithm used to convert unicode strings to ASCII strings by encoding unicode strings only with characters allowed in the host name
- Only characters, numbers, hyphens are allowed and strings always start with “XN-“
- As part of IDNA, multilingual domain names in all languages are supported by Unicode (IDNA: Internationalized Domain Names in Application) and the conversion takes place entirely on the client (web browser).
In this article, we analyze the features of the new OpenSSL vulnerability and the still unpatched OpenSSL server statistics despite being 15 days since its discovery.
OpenSSL Vulnerability Features and Vulnerable Version (CVE-2022-3786, CVE-2022-3602)
When the new OpenSSL vulnerability was made public, it was found that it was a buffer overflow vulnerability and with a possibility of a RCE (Remote Code Execution) attack. There were concerns that another OpenSSL Heartbleed incident, which was a nightmare for the cybersecurity industry, could happen again.
However, in order for the vulnerability to be exploited, both the client and server must be set as a two-way SSL authentication. In addition, the latest platform includes stack overflow protection and it looks as though RCE and DoS (denial-of-service attack) cannot be executed on Linux distribution.
Due to the complexity of the vulnerability, its CVE score was lowered from critical to high, fortunately avoiding a level of disaster similar to Heartbleed. Despite this, it is important to find out all details regarding the vulnerability as it is still a high-class vulnerability. We will be looking at its features.
- CVE-2022-3786: Attackers can modify email addresses that are within the X.509 certifcates and overflow the number of arbitrary bytes containing ‘.’.
- CVE-2022-3602: When attackers are decoding Punycode, they can can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This can result in a RCE or DoS attack.
Vulnerable Version and Security Patched Version
OpenSSL is a widely used open-source security library that implements communication protocol SSL/TLS between web browser and server. They recommend a security patch to update to version 3.0.7 as this vulnerability is expected to cause potential attacks in the forseeable future.
OpenSSL Version 3.0.0~3.0.6
- OpenSSL 1.0.2, 1.1.1 is not affected
How to Identify Vulnerable Version of OpenSSL
OpenSSL is a library within a server so it is typically found in Linux’s ‘openssl version’ but it is difficult for outsiders to identify the exact version.
However, for web servers using Apache, the HTTP header provides accessible information about the version of OpenSSL being used.
From the IP address shown below, we can see that Fedora OS is using Apache 2.4.54 and version 3.0.5 of OpenSSL
Searching ‘Openssl’ on Security OSINT search engine Criminal IP (https://www.criminalip.io) will show that there is approximately 2.1 million IP addresses using OpenSSL.
Search Query :Product:OpenSSL
14,000 Web Servers Affected by New OpenSSL Vulnerability Worldwide
However, since all systems using OpenSSL are searched regardless of the existence of vulnerability, it is recommended to use cve_id filter for more accurate findings of systems exposed to the vulnerability. At the time of writing this article, searching for cve_id: CVE-2022-3786 showed that there are still 14,527 IP addresses still using the vulnerable version of OpenSSL despite it being 2 weeks since its discovery.
Search Query :cve_id:cve-2022-3786
Statistics of Countries Using Vulnerable Version of OpenSSL, 26% of which are US
Looking at the statistics of countries still using the vulnerable version of OpenSSL, the top 5 were US, Japan, Germany, China and the UK.
Among them, the US was responsible for 3,814 out of the total 14,527, an overwhelming 26.25% of all IP addresses using the vulnerable version of OpenSSL.
ASN Statistics of Vulnerable OpenSSL Use, Majority of Top 10 Are Cloud Service ASN
Looking at the ASN statistic for all IP addresses using vulnerable OpenSSL, 70% is made up of ASN of companies that provide cloud service like MS, Amazon, Google, OVH, DigitalOcean etc…
This means that there are many OpenSSL that are not managed in cloud servers.
Apart from cloud service providers, it seems as though general companies like Hangzhou Alibaba are not managing them either and are neglecting their risk assets.
Intelligence Analysis of IP Address Using Vulnerable Version of OpenSSL
An IP address using the 3.0.5 version of OpenSSL with OpenSSL vulnerability was analyzed with Criminal IP intelligence and found that port 20, 80 and 443 was in a vulnerable state.
From the IP address with a total of 4 vulnerabilities including the recently announced CVE-2022-3786, CVE-2022-3602, 3 Openssl vulnerabilities (CVE-2022-3786, CVE-2022-3602, CVE-2022-3358) and 1 OpenSSH vulnerability (CVE-2021-36368) can be exploited.
If an OpenSSL vulnerability where RCE can be executed through overflow is exploited through server and is successful, the server may be used as a bot.
Accroding to Criminal IP intelligence analysis results, the inbound score is rated as critical. This means that the IP address is a dangerous IP address when it is accessing internal servers as a source IP. Thus, security personnels must block them at firewall.
OpenSSL Vulnerability Solutions
Recommend Upgrading to OpenSSL versions 3.0.7
Download Link: https://github.com/openssl/openssl/tags
Although CVE score dropped from critical to high because of its complexity and latest platform stability, it does not mean that it is not dangerous at all. This is because attackers attempt various attacks based on the fact that use of vulnerable products can be identified.
From looking at the attack history of the scanner IP collected by Criminal IP (https://www.criminalip.io/intelligence/statistics), multiple ports are requesting a number of scans. Therefore, among all servers managed, more attention and thorough management of external ports and vulnerable products is needed. If there is a vulnerability, it is important to take quickly take measures like security patching.
Please refer to our article that analyzes web server vulnerabilities caused by Apache web server-installed software for more information.
Source : Criminal IP (https://www.criminalip.io)
Related Article : https://blog.criminalip.io/2022/11/09/software-package/