Analysis
On the 1st of November, OpenSSL published an advisory about two high-severity vulnerabilities that could lead to Denial of Service and remote code execution.
From this vulnerability a buffer overrun can be triggered in the verification of the certificate, specific to the name constraint check. By taking advantage of this, an attacker can craft a malicious email to overflow four attack-controlled bytes on a stack where it could lead to remote code execution or DoS.
OpenSSL has stated that there is no known exploit code present currently.
Polar bear reported this Vulnerability to OpenSSL and the vulnerability was initially identified as Critical severity and later changed to High severity, these vulnerabilities are classified as CVE-2022-3602 and CVE-2022-3786 in Common Vulnerability and Exposures Database.
The Vulnerable OpenSSL versions start from 3.0.1 to 3.0.6, the OpenSSL version 1.1.1 and 1.0.2 are not affected by these vulnerabilities.
CVEs of Vulnerable Products
- CVE-2022-3602
- CVE-2022-3786
Prevention
Update the OpenSSL to version 3.0.7 or to the latest available version.
References
OpenSSL
CISA.gov