Threat Response: Denial of Service in OpenSSL

16-03-2022

On Tuesday the 15th of March a vulnerability in OpenSSL was made public [1,2]. The vulnerability allows an attacker to perform a DoS (Denial of service) attack. This causes externally reachable servers that accept and process TLS certificates to be overloaded to the point that they are unusable. Northwave advises to update OpenSSL as soon as possible.

Description

The vulnerability (CVE-2022-0778) is present in the versions 3.0.0, 3.0.1, 1.1.1-1.1.1m and 1.0.2-1.0.2zc [3]. The vulnerability exists in the „BN_mod_sqrt()“ function. This function is used when parsing certificates that contain elliptic curve public keys. It is possible to trigger an infinite loop by ingesting a certificate with invalid explicit curve parameters.

The vulnerability can only be exploited in the following situations:

  1. A vulnerable system that connects to a malicious TLS server.
  2. A vulnerable TLS server accepts client certificates.
  3. A vulnerable system treats private keys or certificates from a third party (for example a hosting provider).
  4. Vulnerable certificate authorities that handle certificate requests (CSRs) from a third party.
  5. All other applications that use OpenSSL to parse the elliptic curve parameters.

In most cases, vulnerable systems will be TLS servers (for example a web- or mailserver) that use client certificate authentication (item 2 in the list above).

Risk

The vulnerability is present in the parsing of certificate signatures. Therefore, every process that parses certificates from third parties is vulnerable to this Denial of Service. We determine the risk as High.

Impact

Because this vulnerability can cause disruption, but doesn’t give unauthorised access, we determine the impact as Medium.

Mitigation

Upgrades are available for OpenSSL. Users are recommended to apply the following upgrades to the appropriate versions:

  • Version 1.0.2 update to 1.0.2zd
  • Version 1.1.1 update to 1.1.1n
  • Version 3.0 update to 3.0.2

What should you do?

We recommend to install the OpenSSL updates as soon as possible.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.openssl.org/news/secadv/20220315.txt

[2]: https://www.openssl.org/news/vulnerabilities.html

[3]: https://www.cve.org/CVERecord?id=CVE-2022-0778

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.