Description

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to two buffer overrun vulnerabilities that can be triggered in X.509 certificate verification, specifically in name constraint checking.

The vulnerabilities occur after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack.

The vulnerabilities are:

  • X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
  • X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

Remediation

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

References

CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows

OpenSSL Security Advisory [01 November 2022]

Related Vulnerabilities

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2006-4482)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2008-2829)

Undertow Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2020-10705)

Apache Traffic Server Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2014-10022)

MediaWiki Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2013-4571)

Severity

High

Classification

CVE-2022-3786 CWE-119 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Buffer Overflow