7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
The maintainers of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates.
Tracked as CVE-2022-0778 (CVSS score: 7.5), the issue stems from parsing a malformed certificate with invalid explicit elliptic-curve parameters, resulting in whatβs called an βinfinite loop.β The flaw resides in a function called BN_mod_sqrt() thatβs used to compute the modular square root.
βSince certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack,β OpenSSL said in an advisory published on March 15, 2022.
βThe infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters.β
While there is no evidence that the vulnerability has been exploited in the wild, there are a few scenarios where it could be weaponized, including when TLS clients (or servers) access a rogue certificate from a malicious server (or client), or when certificate authorities parse certification requests from subscribers.
The vulnerability impacts OpenSSL versions 1.0.2, 1.1.1, and 3.0, the project owners addressed the flaw with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. OpenSSL 1.1.0, while also affected, will not receive a fix as it has reached end-of-life.
Credited with reporting the flaw on February 24, 2022 is Google Project Zero security researcher Tavis Ormandy. The fix was developed by David Benjamin from Google and TomΓ‘Ε‘ MrΓ‘z from OpenSSL.
CVE-2022-0778 is also the second OpenSSL vulnerability resolved since the start of the year. On January 28, 2022, the maintainers fixed a moderate-severity flaw (CVE-2021-4160, CVSS score: 5.9) affecting the libraryβs MIPS32 and MIPS64 squaring procedure.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P