Statement on CVE 2022-3602 OpenSSL X.509 Email Address 4-byte Buffer Overflow

November 27, 2022

Information

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Risk

Medium

Response

Melissa is aware of the OpenSSL v3.0 vulnerability. After an extensive review by Melissa’s IT department and developers, we’ve determined that no customer-facing devices were affected by the vulnerability. Internally, some development environment instances were affected by the vulnerabilities but have since been properly patched on November 2, 2022. In addition to the Operating Systems, the IT department also investigated VMware tools and has determined that they were not affected.

Melissa will continue to follow all guidance provided by CISA and OpenSSL as necessary to prevent any future risks.