The recent OpenSSL updates address two security bugs in the service, including a high-severity vulnerability in the RSA private key operation. Exploiting this vulnerability could allow remote code execution attacks.
OpenSSL RCE Vulnerability
According to a recent advisory, a high-severity heap memory corruption vulnerability affected the OpenSSL 3.0.4. The bug existed in the RSA “implementation for X86_64 CPUs supporting the AVX512IFMA instructions”. Describing the impact of this flaw CVE-2022-2274, the advisory reads,
This issue makes the RSA implementation with 2048-bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.
This vulnerability typically existed in the OpenSSL 3.0.4 only and didn’t affect 1.1.1 and 1.0.2. The advisory elaborates that proper testing of OpenSSL would fail on a vulnerable machine. So, that’s something users should note before deployment.
Alongside this flaw, the vendors have also addressed a moderate-severity bug (CVE-2022-2097) in the AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under certain conditions, this implementation would fail to encrypt the data in its entirety, rendering the purpose of deploying OpenSSL encryption useless.
As a result, this vulnerability could expose data in plaintext. As stated in the advisory,
This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of “in place” encryption, sixteen bytes of the plaintext would be revealed.
While it’s a severe issue, it didn’t affect TLS and DTLS since OpenSSL doesn’t support OCB-based cipher for them.
Patches Deployed – Update Asap!
The vulnerability CVE-2022-2097 first caught the attention of Alex Chernyakhovsky from Google on June 15, 2022. He found the vulnerability affecting the OpenSSL versions 1.1.1 and 3.0.
Whereas Xi Ruoyao reported the vulnerability on June 22, 2022, and also developed the fix for it.
Eventually, both the vulnerabilities received fixes with OpenSSL 3.0.5. Besides, users of OpenSSL 1.1.1 should consider upgrading to the latest v.1.1.1q to get the fix for CVE-2022-2097.
OpenSSL is the most used software for securing communications across different applications. One of its major implementations is the HTTPS system for encrypting device communications with websites. It includes open-source implementation of SSL and TLS protocols and helps secure web servers.
Let us know your thoughts in the comments.
