On October 31st, new OpenSSL vulnerabilities were discovered: CVE-2022-3786 and CVE-2022-3602.
This vulnerability is related to X.509 Email Address Buffer Overflow. In particular, overflow may occur due to Punycode used to process the name constraint checking function for X.509 certificate verification introduced in OpenSSL 3.0.0.
Punycode:
- The algorithm used to convert Unicode strings to ASCII strings by encoding Unicode strings only with characters allowed in the host name
- Only characters, numbers, and hyphens are allowed and strings always use the “XN-” prefix
- As part of IDNA, multilingual domain names in all languages are supported by Unicode (IDNA: Internationalized Domain Names in Application) and the conversion takes place entirely on the client (web browser).
In this article, we analyze the features of the new OpenSSL vulnerability and the still unpatched OpenSSL server statistics despite being 15 days since its discovery.
OpenSSL Vulnerability Features and Vulnerable Version (CVE-2022-3786, CVE-2022-3602)
When the new OpenSSL vulnerability was made public, there were concerns that another OpenSSL Heartbleed incident, which was a nightmare for the cybersecurity industry, would happen again because it was a buffer overflow vulnerability and RCE (Remote Code Execution) attacks were possible.
However, in order for the vulnerability to be exploited, both the client and server must be set as a two-way SSL authentication. In addition, the latest platform includes stack overflow protection and it looks as though RCE and DoS (denial-of-service attack) cannot be executed on Linux distribution.
Due to the complexity of the vulnerability, its CVE score was lowered from critical to high, fortunately avoiding a level of disaster similar to Heartbleed. Despite this, it is important to find out all the details regarding the vulnerability as it is still a high-level vulnerability. We will be looking at its features.
Vulnerability Feature
- CVE-2022-3786: Attackers can modify email addresses that are within the X.509 certificates and overflow the number of arbitrary bytes containing ‘.’.
- CVE-2022-3602: An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.
Vulnerable Version and Security Patched Version
OpenSSL is a widely used open-source security library that implements communication protocol SSL/TLS between web browser and server. They recommend a security patch to update to version 3.0.7 as this vulnerability is expected to cause potential attacks in the foreseeable future.
Vulnerable Product
OpenSSL Version 3.0.0~3.0.6
- OpenSSL 1.0.2, 1.1.1 are not affected
How to Identify Vulnerable Version of OpenSSL
OpenSSL is a library within a server, so it is typically found in Linux’s ‘OpenSSL version’, but it is difficult for outsiders to identify the exact version.
However, for web servers using Apache, the HTTP header provides accessible information about the version of OpenSSL being used.
From the IP address shown below, we can see that Fedora OS uses Apache 2.4.54 and version 3.0.5 of OpenSSL.
Searching ‘Openssl’ on the Security OSINT search engine Criminal IP (https://www.criminalip.io) will show that approximately 2.1 million IP addresses are using OpenSSL.
Search Query :Product:OpenSSL
14,000 Web Servers Affected by New OpenSSL Vulnerability Worldwide
However, since all systems using OpenSSL are searched regardless of vulnerability, it is recommended to use the cve_id filter for more accurate findings of systems exposed to the vulnerability. At the time of writing this article, searching for cve_id: CVE-2022-3786 showed that there are 14,527 IP addresses using the vulnerable version of OpenSSL despite it being two weeks since its discovery.
Search Query :cve_id:cve-2022-3786
Statistics of Countries Using Vulnerable Version of OpenSSL, 26% of which are US
Looking at the statistics of countries still using the vulnerable version of OpenSSL, the top 5 were the US, Japan, Germany, China and the UK.
Among them, the US was responsible for 3,814 out of the total 14,527, an overwhelming 26.25% of all IP addresses using the vulnerable version of OpenSSL.
ASN Statistics of Vulnerable OpenSSL Use, Majority of Top 10 Are Cloud Service ASN
Looking at the ASN statistics for all IP addresses using vulnerable OpenSSL, 70% is made up of ASN of companies that provide cloud services such as MS, Amazon, Google, OVH, and DigitalOcean.
This means that there are many OpenSSL that are not managed in cloud servers.
Apart from cloud service providers, it seems as though general companies such as Alibaba in Hangzhou are not managing them either and are neglecting their risk assets.
Intelligence Analysis of IP Address Using Vulnerable Version of OpenSSL
As a result of analyzing IP addresses using the 3.0.5 version of OpenSSL, which has an OpenSSL vulnerability, ports 22, 80, and 443 were vulnerable.
From the IP address with a total of 4 vulnerabilities, including the recently announced CVE-2022-3786, CVE-2022-3602, 3 OpenSSL vulnerabilities (CVE-2022-3786, CVE-2022-3602, CVE-2022-3358), and 1 OpenSSH vulnerability (CVE-2021-36368) can be exploited.
If the OpenSSL vulnerability where RCE can be executed through overflow is exploited on the relevant server and RCE is successfully executed, there is a risk that this server will be used as a bot.
According to Criminal IP intelligence analysis results, the inbound score is rated as critical. In other words, when the IP address is accessed internally as the source IP, it is classified as a dangerous IP address, and security personnel must block it in a firewall.
OpenSSL Vulnerability Solutions
Recommend Upgrading to OpenSSL version 3.0.7
Download Link: https://github.com/openssl/openssl/tags
Although the CVE score dropped from critical to high because of its complexity and latest platform stability, it does not mean that it is not dangerous at all. This is because attackers attempt various attacks based on the fact that the use of vulnerable products can be identified.
From looking at the attack history of the scanner IP collected by Criminal IP (https://www.criminalip.io/intelligence/statistics), multiple ports are requesting a number of scans. Therefore, more attention and thorough management of external ports and vulnerable products are needed among all servers managed. Furthermore, it is important to take quick measures such as security patches if there is a vulnerability.
Please refer to our article that analyzes web server vulnerabilities caused by Apache web server-installed software for more information.
Source : Criminal IP (https://www.criminalip.io)
Related Article : https://blog.criminalip.io/2022/11/09/software-package/
Leave a Reply