On October 31st 2022, a new OpenSSL vulnerability was discovered. The number of the vulnerabilities were CVE-2022-3786 and CVE-2022-3602.

This vulnerability is related to X.509 Email Address Buffer Overflow. Especially when handling Punycode, a X.509 certificate verification name constraint check feature introduced in OpenSSL 3.0.0, overflow may occur. 

Punycode:

  • Algorithm used to convert unicode strings to ASCII strings by encoding unicode strings only with characters allowed in the host name
  • Only characters, numbers, hyphens are allowed and strings always start with “XN-“
  • As part of IDNA, multilingual domain names in all languages are supported by Unicode (IDNA: Internationalized Domain Names in Application) and the conversion takes place entirely on the client (web browser).

In this article, we analyze the features of the new OpenSSL vulnerability and the still unpatched OpenSSL server statistics despite being 15 days since its discovery. 

OpenSSL Vulnerability Features and Vulnerable Version (CVE-2022-3786, CVE-2022-3602) 

When the new OpenSSL vulnerability was made public, it was found that it was a buffer overflow vulnerability and with a possibility of a RCE (Remote Code Execution) attack. There were concerns that another OpenSSL Heartbleed incident, which was a nightmare for the cybersecurity industry, could happen again.

However, in order for the vulnerability to be exploited, both the client and server must be set as a two-way SSL authentication. In addition, the latest platform includes stack overflow protection and it looks as though RCE and DoS (denial-of-service attack) cannot be executed on Linux distribution. 

Due to the complexity of the vulnerability, its CVE score was lowered from critical to high, fortunately avoiding a level of disaster similar to Heartbleed. Despite this, it is important to find out all details regarding the vulnerability as it is still a high-class vulnerability. We will be looking at its features.

Vulnerability Feature

  • CVE-2022-3786: Attackers can modify email addresses that are within the X.509 certifcates and overflow the number of arbitrary bytes containing ‘.’. 
  • CVE-2022-3602: When attackers are decoding Punycode, they can can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This can result in a RCE or DoS attack. 

PoC Code: https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/openssl-punycode-vulnerability

Vulnerable Version and Security Patched Version 

OpenSSL is a widely used open-source security library that implements communication protocol SSL/TLS between web browser and server. They recommend a security patch to update to version 3.0.7 as this vulnerability is expected to cause potential attacks in the forseeable future.

Vulnerable Product

OpenSSL Version 3.0.0~3.0.6

  • OpenSSL 1.0.2, 1.1.1 is not affected

How to Identify Vulnerable Version of OpenSSL 

OpenSSL is a library within a server so it is typically found in Linux’s ‘openssl version’ but it is difficult for outsiders to identify the exact version.

However, for web servers using Apache, the HTTP header provides accessible information about the version of OpenSSL being used. 

From the IP address shown below, we can see that Fedora OS is using Apache 2.4.54 and version 3.0.5 of OpenSSL

Apache 웹 서버의 HTTP 헤더로 확인한 CVE-2022-3786, CVE-2022-3602 OpenSSL취약점 보유 IP 주소

IP Address Confirmed With OpenSSL Vulnerability CVE-2022-3786, CVE-2022-3602 From Checking the Apache Web Server’s HTTP Header

Searching ‘Openssl’ on Security OSINT search engine Criminal IP (https://www.criminalip.io) will show that there is approximately 2.1 million IP addresses using OpenSSL.

Search Query :Product:OpenSSL

Criminal IP 에 "product: OpenSSL" 쿼리로 검색한 결과, 약 210만 건의 IP 주소가 검색된다

Search Results for “product: OpenSSL” on Criminal IP Showing Approximately 2.1 Million IP Addresses Using OpenSSL

https://www.criminalip.io/asset/search?query=Product%3AOpenSSL

14,000 Web Servers Affected by New OpenSSL Vulnerability Worldwide 

However, since all systems using OpenSSL are searched regardless of the existence of vulnerability, it is recommended to use cve_id filter for more accurate findings of systems exposed to the vulnerability. At the time of writing this article, searching for cve_id: CVE-2022-3786 showed that there are still 14,527 IP addresses still using the vulnerable version of OpenSSL despite it being 2 weeks since its discovery. 

Search Query :cve_id:cve-2022-3786

새로운 OpenSSL 취약점 CVE-2022-3786 을 보유한 전세계 OpenSSL 사용 서버가 14,527 대 발견되었다

14,527 of all Servers Using OpenSSL Discovered With New OpenSSL Vulnerability CVE-2022-3786

Statistics of Countries Using Vulnerable Version of OpenSSL, 26% of which are US 

Looking at the statistics of countries still using the vulnerable version of OpenSSL, the top 5 were US, Japan, Germany, China and the UK. 

Among them, the US was responsible for 3,814 out of the total 14,527, an overwhelming 26.25% of all IP addresses using the vulnerable version of OpenSSL. 

전세계 OpenSSL 취약점 cve-2022-3786 보유 서버 국가 통계, 미국이 전체의 26%를 차지한다

Worldwide Statistics of Countries with OpenSSL vulnerability cve-2022-3786, US Accounting for 26%

ASN Statistics of Vulnerable OpenSSL Use, Majority of Top 10 Are Cloud Service ASN 

Looking at the ASN statistic for all IP addresses using vulnerable OpenSSL, 70% is made up of ASN of companies that provide cloud service like MS, Amazon, Google, OVH, DigitalOcean etc…

This means that there are many OpenSSL that are not managed in cloud servers.

Apart from cloud service providers, it seems as though general companies like Hangzhou Alibaba are not managing them either and are neglecting their risk assets.

전세계 OpenSSL 취약점 cve-2022-3786 보유 서버 ASN 통계, 상위 10 개 중 7개 가 Cloud 제공 업체의 ASN이다

ASN Statistic of OpenSSL Vulnerability cve-2022-3786 Servers Around the World, 7 out of Top 10 are Cloud Providers’ ASN

Intelligence Analysis of IP Address Using Vulnerable Version of OpenSSL 

An IP address using the 3.0.5 version of OpenSSL with OpenSSL vulnerability was analyzed with Criminal IP intelligence and found that port 20, 80 and 443 was in a vulnerable state.

From the IP address with a total of 4 vulnerabilities including the recently announced CVE-2022-3786, CVE-2022-3602, 3 Openssl vulnerabilities (CVE-2022-3786, CVE-2022-3602, CVE-2022-3358) and 1 OpenSSH vulnerability (CVE-2021-36368) can be exploited.

If an OpenSSL vulnerability where RCE can be executed through overflow is exploited through server and is successful, the server may be used as a bot. 

Accroding to Criminal IP intelligence analysis results, the inbound score is rated as critical. This means that the IP address is a dangerous IP address when it is accessing internal servers as a source IP. Thus, security personnels must block them at firewall. 

새로운 OpenSSL 취약점을 보유한 IP 주소의 Criminal IP 인텔리전스 분석 결과, 총 네 개의 취약점과 연결되어있다.

Criminal IP Intelligence Analysis Result of an IP Address with New OpenSSL Vulnerabilities Show a Total of 4 Vulnerabilities Found

OpenSSL 취약점을 보유한 IP 주소의 Criminal IP 인텔리전스 분석 결과, 22, 80, 443 포트가 취약한 상태이다

Criminal IP Intelligence Analysis Result of an IP Address with OpenSSL Vulnerabilities Shows That Port 22, 80 and 443 are in a Vulnerable State

OpenSSL Vulnerability Solutions 

Recommend Upgrading to OpenSSL versions 3.0.7

Download Link: https://github.com/openssl/openssl/tags

Although CVE score dropped from critical to high because of its complexity and latest platform stability, it does not mean that it is not dangerous at all. This is because attackers attempt various attacks based on the fact that use of vulnerable products can be identified.

Criminal IP 에서 수집하는 Scanner IP, 여러 포트로 스캔 요청을 했다

Scanner IP collected by Criminal IP, Scan Request With Multiple Ports

From looking at the attack history of the scanner IP collected by Criminal IP (https://www.criminalip.io/intelligence/statistics), multiple ports are requesting a number of scans. Therefore, among all servers managed, more attention and thorough management of external ports and vulnerable products is needed. If there is a vulnerability, it is important to take quickly take measures like security patching.

Please refer to our article that analyzes web server vulnerabilities caused by Apache web server-installed software for more information.


Source : Criminal IP (https://www.criminalip.io)

Related Article : https://blog.criminalip.io/2022/11/09/software-package/