On October 31st, new OpenSSL vulnerabilities were discovered: CVE-2022-3786 and CVE-2022-3602.

This vulnerability is related to X.509 Email Address Buffer Overflow. In particular, overflow may occur due to Punycode used to process the name constraint checking function for X.509 certificate verification introduced in OpenSSL 3.0.0.


  • The algorithm used to convert Unicode strings to ASCII strings by encoding Unicode strings only with characters allowed in the host name
  • Only characters, numbers, and hyphens are allowed and strings always use the “XN-” prefix
  • As part of IDNA, multilingual domain names in all languages are supported by Unicode (IDNA: Internationalized Domain Names in Application) and the conversion takes place entirely on the client (web browser).

In this article, we analyze the features of the new OpenSSL vulnerability and the still unpatched OpenSSL server statistics despite being 15 days since its discovery. 

OpenSSL Vulnerability Features and Vulnerable Version (CVE-2022-3786, CVE-2022-3602) 

When the new OpenSSL vulnerability was made public, there were concerns that another OpenSSL Heartbleed incident, which was a nightmare for the cybersecurity industry, would happen again because it was a buffer overflow vulnerability and RCE (Remote Code Execution) attacks were possible.

However, in order for the vulnerability to be exploited, both the client and server must be set as a two-way SSL authentication. In addition, the latest platform includes stack overflow protection and it looks as though RCE and DoS (denial-of-service attack) cannot be executed on Linux distribution. 

Due to the complexity of the vulnerability, its CVE score was lowered from critical to high, fortunately avoiding a level of disaster similar to Heartbleed. Despite this, it is important to find out all the details regarding the vulnerability as it is still a high-level vulnerability. We will be looking at its features.

Vulnerability Feature

  • CVE-2022-3786: Attackers can modify email addresses that are within the X.509 certificates and overflow the number of arbitrary bytes containing ‘.’. 
  • CVE-2022-3602: An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.

PoC Code: https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/openssl-punycode-vulnerability

Vulnerable Version and Security Patched Version 

OpenSSL is a widely used open-source security library that implements communication protocol SSL/TLS between web browser and server. They recommend a security patch to update to version 3.0.7 as this vulnerability is expected to cause potential attacks in the foreseeable future.

Vulnerable Product

OpenSSL Version 3.0.0~3.0.6

  • OpenSSL 1.0.2, 1.1.1 are not affected

How to Identify Vulnerable Version of OpenSSL 

OpenSSL is a library within a server, so it is typically found in Linux’s ‘OpenSSL version’, but it is difficult for outsiders to identify the exact version.

However, for web servers using Apache, the HTTP header provides accessible information about the version of OpenSSL being used. 

From the IP address shown below, we can see that Fedora OS uses Apache 2.4.54 and version 3.0.5 of OpenSSL.

Apache 웹 서버의 HTTP 헤더로 확인한 CVE-2022-3786, CVE-2022-3602 OpenSSL취약점 보유 IP 주소
IP Address Confirmed With OpenSSL Vulnerability CVE-2022-3786, CVE-2022-3602 From Checking the Apache Web Server’s HTTP Header

Searching ‘Openssl’ on the Security OSINT search engine Criminal IP (https://www.criminalip.io) will show that approximately 2.1 million IP addresses are using OpenSSL.

Search Query :Product:OpenSSL

Criminal IP 에 "product: OpenSSL" 쿼리로 검색한 결과, 약 210만 건의 IP 주소가 검색된다
Search Results for “product: OpenSSL” on Criminal IP Showing Approximately 2.1 Million IP Addresses Using OpenSSL

14,000 Web Servers Affected by New OpenSSL Vulnerability Worldwide 

However, since all systems using OpenSSL are searched regardless of vulnerability, it is recommended to use the cve_id filter for more accurate findings of systems exposed to the vulnerability. At the time of writing this article, searching for cve_id: CVE-2022-3786 showed that there are 14,527 IP addresses using the vulnerable version of OpenSSL despite it being two weeks since its discovery. 

Search Query :cve_id:cve-2022-3786

새로운 OpenSSL 취약점 CVE-2022-3786 을 보유한 전세계 OpenSSL 사용 서버가 14,527 대 발견되었다
14,527 of all Servers Using OpenSSL Discovered With New OpenSSL Vulnerability CVE-2022-3786

Statistics of Countries Using Vulnerable Version of OpenSSL, 26% of which are US 

Looking at the statistics of countries still using the vulnerable version of OpenSSL, the top 5 were the US, Japan, Germany, China and the UK. 

Among them, the US was responsible for 3,814 out of the total 14,527, an overwhelming 26.25% of all IP addresses using the vulnerable version of OpenSSL. 

전세계 OpenSSL 취약점 cve-2022-3786 보유 서버 국가 통계, 미국이 전체의 26%를 차지한다
Worldwide Statistics of Countries with OpenSSL vulnerability cve-2022-3786, US Accounting for 26%

ASN Statistics of Vulnerable OpenSSL Use, Majority of Top 10 Are Cloud Service ASN 

Looking at the ASN statistics for all IP addresses using vulnerable OpenSSL, 70% is made up of ASN of companies that provide cloud services such as MS, Amazon, Google, OVH, and DigitalOcean.

This means that there are many OpenSSL that are not managed in cloud servers.

Apart from cloud service providers, it seems as though general companies such as Alibaba in Hangzhou are not managing them either and are neglecting their risk assets.

전세계 OpenSSL 취약점 cve-2022-3786 보유 서버 ASN 통계, 상위 10 개 중 7개 가 Cloud 제공 업체의 ASN이다
ASN Statistic of OpenSSL Vulnerability cve-2022-3786 Servers Around the World, 7 out of Top 10 are Cloud Providers’ ASN

Intelligence Analysis of IP Address Using Vulnerable Version of OpenSSL 

As a result of analyzing IP addresses using the 3.0.5  version of  OpenSSL, which has an OpenSSL vulnerability, ports 22, 80, and 443 were vulnerable.

From the IP address with a total of 4 vulnerabilities, including the recently announced CVE-2022-3786, CVE-2022-3602, 3 OpenSSL vulnerabilities (CVE-2022-3786, CVE-2022-3602, CVE-2022-3358), and 1 OpenSSH vulnerability (CVE-2021-36368) can be exploited.

If the OpenSSL vulnerability where RCE can be executed through overflow is exploited on the relevant server and RCE is successfully executed, there is a risk that this server will be used as a bot. 

According to Criminal IP intelligence analysis results, the inbound score is rated as critical. In other words, when the IP address is accessed internally as the source IP, it is classified as a dangerous IP address, and security personnel must block it in a firewall.

새로운 OpenSSL 취약점을 보유한 IP 주소의 Criminal IP 인텔리전스 분석 결과, 총 네 개의 취약점과 연결되어있다.
Criminal IP Intelligence Analysis Result of an IP Address with New OpenSSL Vulnerabilities Show a Total of 4 Vulnerabilities Found
OpenSSL 취약점을 보유한 IP 주소의 Criminal IP 인텔리전스 분석 결과, 22, 80, 443 포트가 취약한 상태이다
Criminal IP Intelligence Analysis Result of an IP Address with OpenSSL Vulnerabilities Shows That Port 22, 80 and 443 are in a Vulnerable State

OpenSSL Vulnerability Solutions 

Recommend Upgrading to OpenSSL version 3.0.7

Download Link: https://github.com/openssl/openssl/tags

Although the CVE score dropped from critical to high because of its complexity and latest platform stability, it does not mean that it is not dangerous at all. This is because attackers attempt various attacks based on the fact that the use of vulnerable products can be identified.

Criminal IP 에서 수집하는 Scanner IP, 여러 포트로 스캔 요청을 했다
Scanner IP collected by Criminal IP, Scan Request With Multiple Ports

From looking at the attack history of the scanner IP collected by Criminal IP (https://www.criminalip.io/intelligence/statistics), multiple ports are requesting a number of scans. Therefore, more attention and thorough management of external ports and vulnerable products are needed among all servers managed. Furthermore, it is important to take quick measures such as security patches if there is a vulnerability.

Please refer to our article that analyzes web server vulnerabilities caused by Apache web server-installed software for more information.

Source : Criminal IP (https://www.criminalip.io)

Related Article : https://blog.criminalip.io/2022/11/09/software-package/