Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL
March 17, 2022

How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL

How To Fix Cve 2022 0778 A Denial Of Service Vulnerability In Openssl

On 15th March, OpenSSL has published an advisory that talks about a high severity vulnerability in its software library. The flaw that is tracked as CVE-2022-0778 with a base score of 7.5 in CVSS3.1 would lead to a denial-of-service (DoS) condition in OpenSSL when parsing certificates. Since the flaw allows attackers to crash servers, it is important to learn How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL.

Before we jump in to know how to fix CVE-2022-0778, a denial-of-service vulnerability in OpenSSL, it is important to know about the Elliptic-Curve and BN_mod_sqrt() function.

What Is Elliptic-curve cryptography (ECC)?

According to Wikipedia, “Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide equivalent security.”

It is being used in key agreementdigital signaturespseudo-random generators, and other encryption mechanisms. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme.

BN_mod_sqrt() function in Elliptic-Curve:

The BN_mod_sqrt() function is used to compute a modular square root. The function is being used to parse the certificates that either come with elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

The Summary Of CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:

Any process that parses an externally supplied certificate may be subject to a denial of service attack since certificate parsing happens prior to verification of the certificate signature. This allows forming an infinite loop in the process of parsing crafted private keys if they contain explicit elliptic curve parameters. Usually, an attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature as per OpenSSL.

The advisory explains a few circumstances in which the flaw can be exploited. There are:

  • TLS clients consuming server certificates.

  • TLS servers consuming client certificates.

  • Hosting providers taking certificates or private keys from customers.

  • Certificate authorities parsing certification requests from subscribers.

  • Anything else which parses ASN.1 elliptic curve parameters.

  • Applications that use the BN_mod_sqrt() where the attacker can control the parameter values.

OpenSSL Versions Vulnerable To CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:

The CVE-2022-0778 vulnerability affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. We recommend checking the version of OpenSSL on your servers and fix the CVE-2022-0778 vulnerability as soon as possible. You can run this simple command to check the OpenSSL version on your machine.

$ openssl version

How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL?

OpenSSL addresses the vulnerabilities in its new releases. OpenSSL has rolled out three new versions with the patch. All are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding suggested versions.

  1. OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)

  2. OpenSSL 1.1.1 users should upgrade to 1.1.1n

  3. OpenSSL 3.0 users should upgrade to 3.0.2

Note: OpenSSL 1.0.2 is reached end of life. So 1.0.2 has no support and no longer receiving public updates. Extended support is available for premium support customers only.

How to upgrade the OpenSSL and fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL?

Step 1. Check the OpenSSL version

Run this command to check the version of OpenSSL:

$ openssl version

Step 2. Download the OpenSSL package

Download the correct package. In this case, since we have OpenSSL v1.1.1f, we need to download 1.1.1n.
If you have 3 series of
OpenSSL, you should download

$ cd Downloads/
$ wget

$ chmod +x openssl-1.1.1n.tar.gz

Step 3. Extract the OpenSSL package

Extract the downloaded package to a folder.

$ tar -zxf openssl-1.1.1n.tar.gz
$ cd openssl-1.1.1n/

Step 4. Manually compile OpenSSL

Run this command to compile and create and makefile.

$ ./config

Step 5. Install/upgrade OpenSSL

Issue these commands to install or upgrade the OpenSSL.

$ sudo make
$ sudo make test
$ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
$ sudo make install

Note: You may need to install make and gcc utilities before you install or upgrade the
OpenSSL.  Run this command to install the required packages if not preinstalled.

$ sudo apt install make gcc

Step 6. Create symbolic link from newly install binary to the default location

$ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl

Step 7. Check the OpenSSL version once again

Run these commands to update symlinks and rebuild the library cache then check the version of OpenSSL:

$ sudo ldconfig
$ openssl version

We hope this post would help you know How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription