On 15th March, OpenSSL has published an advisory that talks about a high severity vulnerability in its software library. The flaw that is tracked as CVE-2022-0778 with a base score of 7.5 in CVSS3.1 would lead to a denial-of-service (DoS) condition in OpenSSL when parsing certificates. Since the flaw allows attackers to crash servers, it is important to learn How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL.
Before we jump in to know how to fix CVE-2022-0778, a denial-of-service vulnerability in OpenSSL, it is important to know about the Elliptic-Curve and BN_mod_sqrt() function.
What Is Elliptic-curve cryptography (ECC)?
According to Wikipedia, “Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide equivalent security.”
It is being used in key agreement, digital signatures, pseudo-random generators, and other encryption mechanisms. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme.
BN_mod_sqrt() function in Elliptic-Curve:
The BN_mod_sqrt() function is used to compute a modular square root. The function is being used to parse the certificates that either come with elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.
The Summary Of CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:
Any process that parses an externally supplied certificate may be subject to a denial of service attack since certificate parsing happens prior to verification of the certificate signature. This allows forming an infinite loop in the process of parsing crafted private keys if they contain explicit elliptic curve parameters. Usually, an attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature as per OpenSSL.
The advisory explains a few circumstances in which the flaw can be exploited. There are:
- TLS clients consuming server certificates.
- TLS servers consuming client certificates.
- Hosting providers taking certificates or private keys from customers.
- Certificate authorities parsing certification requests from subscribers.
- Anything else which parses ASN.1 elliptic curve parameters.
- Applications that use the BN_mod_sqrt() where the attacker can control the parameter values.
OpenSSL Versions Vulnerable To CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL:
The CVE-2022-0778 vulnerability affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. We recommend checking the version of OpenSSL on your servers and fix the CVE-2022-0778 vulnerability as soon as possible. You can run this simple command to check the OpenSSL version on your machine.
$ openssl version
How To Fix CVE-2022-0778- A Denial-Of-Service Vulnerability In OpenSSL?
OpenSSL addresses the vulnerabilities in its new releases. OpenSSL has rolled out three new versions with the patch. All are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding suggested versions.
- OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
- OpenSSL 1.1.1 users should upgrade to 1.1.1n
- OpenSSL 3.0 users should upgrade to 3.0.2
Note: OpenSSL 1.0.2 is reached end of life. So 1.0.2 has no support and no longer receiving public updates. Extended support is available for premium support customers only.
How to upgrade the OpenSSL and fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL?
- Check the OpenSSL version
Run this command to check the version of OpenSSL:
$ openssl version
- Download the OpenSSL package
Download the correct package. In this case, since we have OpenSSL v1.1.1f, we need to download 1.1.1n.
If you have 3 series of OpenSSL, you should download 3.0.2.
$ cd Downloads/
$ wget https://www.openssl.org/source/openssl-1.1.1n.tar.gz
$ chmod +x openssl-1.1.1n.tar.gz
- Extract the OpenSSL package
Extract the downloaded package to a folder.
$ tar -zxf openssl-1.1.1n.tar.gz
$ cd openssl-1.1.1n/
- Manually compile OpenSSL
Run this command to compile and create configdata.pm and makefile.
- Install/upgrade OpenSSL
Issue these commands to install or upgrade the OpenSSL.
$ sudo make
$ sudo make test
$ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
$ sudo make install
Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL. Run this command to install the required packages if not preinstalled.
$ sudo apt install make gcc
- Create symbolic link from newly install binary to the default location
$ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
- Check the OpenSSL version once again
Run these commands to update symlinks and rebuild the library cache then check the version of OpenSSL:
$ sudo ldconfig
$ openssl version
We hope this post would help you know How to Fix CVE-2022-0778- A Denial-of-Service Vulnerability in OpenSSL. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.