Statement on CVE 2022-3786 OpenSSL X.509 Email Address Variable Length Buffer Overflow

November 27, 2022

Information

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Risk

Medium

Response

Melissa is aware of the OpenSSL v3.0 vulnerability. After an extensive review by Melissa’s IT department and developers, we’ve determined that no customer-facing devices were affected by the vulnerability. Internally, some development environment instances were affected by the vulnerabilities but have since been properly patched on November 2, 2022. In addition to the Operating Systems, the IT department also investigated VMware tools and has determined that they were not affected.

Melissa will continue to follow all guidance provided by CISA and OpenSSL as necessary to prevent any future risks.