• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL
How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL

On 15th March, OpenSSL has published an advisory that talks about a high severity vulnerability in its software library. The flaw that is tracked as CVE-2022-0778 with a base score of 7.5 in CVSS3.1 would lead to a denial-of-service (DoS) condition in OpenSSL when parsing certificates. Since the flaw allows attackers to crash servers, it is important to learn How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL.

Before we jump in to know how to fix CVE-2022-0778, a denial-of-service vulnerability in OpenSSL, it is important to know about the Elliptic-Curve and BN_mod_sqrt() function.

What Is Elliptic-curve cryptography (ECC)?

According to Wikipedia, “Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide equivalent security.”

It is being used in key agreementdigital signaturespseudo-random generators, and other encryption mechanisms. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme.

BN_mod_sqrt() function in Elliptic-Curve:

The BN_mod_sqrt() function is used to compute a modular square root. The function is being used to parse the certificates that either come with elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

The Summary Of CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:

Any process that parses an externally supplied certificate may be subject to a denial of service attack since certificate parsing happens prior to verification of the certificate signature. This allows forming an infinite loop in the process of parsing crafted private keys if they contain explicit elliptic curve parameters. Usually, an attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature as per OpenSSL.

The advisory explains a few circumstances in which the flaw can be exploited. There are:

  • TLS clients consuming server certificates.
  • TLS servers consuming client certificates.
  • Hosting providers taking certificates or private keys from customers.
  • Certificate authorities parsing certification requests from subscribers.
  • Anything else which parses ASN.1 elliptic curve parameters.
  • Applications that use the BN_mod_sqrt() where the attacker can control the parameter values.

OpenSSL Versions Vulnerable To CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:

The CVE-2022-0778 vulnerability affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. We recommend checking the version of OpenSSL on your servers and fix the CVE-2022-0778 vulnerability as soon as possible. You can run this simple command to check the OpenSSL version on your machine.

$ openssl version

How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL?

OpenSSL addresses the vulnerabilities in its new releases. OpenSSL has rolled out three new versions with the patch. All are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding suggested versions.

  1. OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
  2. OpenSSL 1.1.1 users should upgrade to 1.1.1n
  3. OpenSSL 3.0 users should upgrade to 3.0.2
See Also  How To Fix CVE-2022-20624- A Denial Of Service Vulnerability In CFSoIP Service Of Cisco NX-OS

Note: OpenSSL 1.0.2 is reached end of life. So 1.0.2 has no support and no longer receiving public updates. Extended support is available for premium support customers only.

How to upgrade the OpenSSL and fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL?

  1. Check the OpenSSL version

    Run this command to check the version of OpenSSL:

    $ openssl versionHow to check the OpenSSL version(1)

  2. Download the OpenSSL package

    Download the correct package. In this case, since we have OpenSSL v1.1.1f, we need to download 1.1.1n.

    If you have 3 series of OpenSSL, you should download 3.0.2.

    $ cd Downloads/
    $ wget https://www.openssl.org/source/openssl-1.1.1n.tar.gz

    $ chmod +x openssl-1.1.1n.tar.gzDownload the OpenSSL package

  3. Extract the OpenSSL package

    Extract the downloaded package to a folder.

    $ tar -zxf openssl-1.1.1n.tar.gz
    $ cd openssl-1.1.1n/Extract the OpenSSL package

  4. Manually compile OpenSSL

    Run this command to compile and create configdata.pm and makefile.

    $ ./configManually compile OpenSSL

  5. Install/upgrade OpenSSL

    Issue these commands to install or upgrade the OpenSSL.

    $ sudo make
    $ sudo make test
    $ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
    $ sudo make install

    Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL.  Run this command to install the required packages if not preinstalled.

    $ sudo apt install make gccInstallupgrade OpenSSL

  6. Create symbolic link from newly install binary to the default location

    $ sudo ln -s /usr/local/bin/openssl /usr/bin/opensslCreate symbolic link from newly install binary to the default location

  7. Check the OpenSSL version once again

    Run these commands to update symlinks and rebuild the library cache then check the version of OpenSSL:

    $ sudo ldconfig
    $ openssl versioncommands to update symlinks and rebuild the library cache then check the version of OpenSSL

We hope this post would help you know How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.