Cythera Cyber Security

OpenSSL v3.0.x Buffer Overrun Vulnerability

An additional statement from the OpenSSL team on the 1st of November downgraded the vulnerability from critical to high, citing that testing feedback provided by security firms.
Talk to an expert

CVE-2022-3602 – OpenSSL v3.0.x Buffer Overrun Vulnerability

CVE: CVE-2022-3602 and CVE-2022-3786
What Is Vulnerable?: OpenSSL versions 3.0.0 or later. It is worth noting that SSL v3.0.0 was released in September 2021.

What’s Happening?

October 26th, the OpenSSL project team announced a critical vulnerability that was found in their widely used TLS and SSL software library. An additional statement from the OpenSSL team on the 1st of November downgraded the vulnerability from critical to high, citing that testing feedback provided by security firms. Estimates from shodan.io, indicate that 16,000 of all websites using OpenSSL are currently using version 3.0.x or later. Currently, there is no known exploitation of these vulnerabilities in the wild. OpenSSL prior to v3.0.x are not vulnerable as the exploit is due to a decoding functionality which was introduced in v3.0.x.


Key Facts

  • This vulnerability can be a client/browser-based exploit via browsing to an attacker-controlled server presenting with a malicious certificate.
  • Alternatively, if an SSL server requests a certificate from the client, the client can provide a malicious certificate.
  • Could cause a local crash, remote code execution or unexpected behaviour.
  • Browsers are unlikely to be using OpenSSL v.3.0.x due to slow adoption.
  • OpenSSL v3.0.x is installed by default in some new versions of Linux distributions.

What You Can Do

  • Cythera is monitoring EndpointProtect and Managed Detection and Response clients for associated indicators of attack and post exploitation activities.
  • Cythera Vulnerability Management clients are actively being scanned for any instances of vulnerable versions of OpenSSL.
  • Consult with vendors to ensure that their software has been patched.
  • Any instances of OpenSSL v3.0.x should be patched to v3.0.7 which has been released as of the 1st of November. The patch can be found here.


Events

Latest events

Join Cythera experts for networking events, technical briefings, and hands-on workshops hosted throughout the year.
View all events
No items found.
Cyber security news

Latest advisories

Stay ahead of emerging threats with our expert blog posts, research, and industry updates.
Silverstripe - Host Header Injection
Silverstripe CMS is affected by a Host Header Injection flaw, which can be exploited to manipulate password reset workflows, potentially redirecting or compromising user data.
FarCry Core Framework - Multiple Issues
FarCry Core contains multiple vulnerabilities that could let unauthenticated users upload arbitrary files and execute remote code on the hosting server.
Silverstripe – Cross-Site Scripting (XSS) Vulnerability
With local organisation admin credentials, an attacker can exploit the API to create, delete, or revert virtual machine snapshots in other organisations’ Virtual Data Centres (VDCs), breaching isolation boundaries.