By Claire Tills, Senior Research Engineer, Tenable
On October 25, OpenSSL announced that a forthcoming release of OpenSSL version 3.0.7 would contain a patch for a critical vulnerability. That announcement preceded the release by one week, leaving ample time for speculation regarding the nature and impact of the vulnerability. On November 1, OpenSSL released version 3.0.7 and updated its announcement, stating that investigations in the intervening week revealed a vulnerability that originally appeared to be critical was only high severity. The release also included a second high-severity flaw. With the release of 3.0.7, OpenSSL patched CVE-2022-3786 and CVE-2022-3602, two buffer overflows that could result in denial of service.
“After the preannouncement and rampant nail-biting, the release from OpenSSL today revealed a couple of high-severity flaws that are not easy to exploit and only affect a small subset of OpenSSL implementations. CVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities in OpenSSL versions 3.0.0 through 3.0.6. The most likely outcome of successful exploitation is denial of service, but remote code execution is possible if stack overflow protections aren’t in place. Both vulnerabilities have to be triggered after certificate chain signature verification, meaning an attacker would likely need to get their malicious certificate signed.
“Vendors have all sorts of rationales for the way they handle vulnerability disclosures, in this case, OpenSSL pre-announcing the vulnerability before it had completed its investigation meant that it had to adjust its description of the vulnerabilities and those responding to this situation may have unnecessarily burnt out resources. That being said, this is an opportunity for organisations to evaluate their response processes and understand what can be improved. How difficult was it for them to determine which version of OpenSSL they had deployed, or whether any software on which they rely was vulnerable? Were their communication channels mature enough to get correct information to the people who needed it as soon as it was available?”
