Microsoft Provides Guidance on Recent OpenSSL Security Risks
Microsoft has chimed in on the highly visible OpenSSL security risks that emerged last week, and advises users start applying fixes based on OpenSSL's recent patches.
The issue started on Oct. 25 when two vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affecting OpenSSL version 3.0.0 and later emerged. CVE-2022-3602 at the time was rated critical (but had since been downgraded to important) and could lead to a remote code execution through a stack buffer overflow issue, while CVE-2022-3786 could lead to a denial of service attack through the aid of malicious email addresses.
Fortunately, both vulnerabilities have not been spotted in the wild and there currently aren't any active ways to exploit them. However, according to Microsoft, potential targets of both vulnerabilities are widespread. "This impacts both TLS clients and servers. For a client, the vulnerability could be triggered by connecting to a malicious server, wrote Microsoft in a blog post. For a server, it can be triggered if the server requests client certificate authentication and a client with a maliciously configured certificate connects to the server."
Those on OpenSSL versions earlier than 3.0.0 are not susceptible to the vulnerably. "The bugs were introduced as part of punycode decoding functionality (currently only used for processing email address name constraints in X.509 certificates)," wrote the OpenSSL team in a blog post. "This code was first introduced in OpenSSL 3.0.0. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected."
As for why the downgrade from critical to important for CVE-2022-3602, the team said that after further investigation, exploitation of the security hole would have been very complicated and that most platforms have built-in stack overflow protection, which should bypass any potential attacks.
In response to the two major security issues, the OpenSSL team released update 3.0.7 to alleviate the issues. And Microsoft, after publishing its own analysis of the issues, is encouraging users to update as soon as possible. Per a Microsoft security blog post:
We encourage our customers using impacted versions of OpenSSL to upgrade to OpenSSL version 3.0.7. See Microsoft Security Update Guides (CVE-2022-3786 Security Update Guide and CVE-2022-3602 Security Update Guide) for the list of Microsoft products and services that have a dependency on OpenSSL 3.0 – 3.0.6, that customers need to take action to update.
Microsoft said that users can track which version of OpenSSL they have, and whether patching was successful, by checking under the Endpoints Exposure tab in Microsoft Defender Vulnerability Management.