Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-3602 PoC — X.509 Email Address 4-byte Buffer Overflow

Source
https://github.com/NCSC-NL/OpenSSL-2022
Associated Vulnerability
Title:X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
Description:A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
Description
Operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3
Readme
# 2022 OpenSSL vulnerability - CVE-2022-3602/CVE-2022-3786

<img src="spooky.png" alt="Spooky SSL" width="300">

This repo contains operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3.0.0-3.0.6. For more information see:

- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20221101.txt)
- [OpenSSL Blogpost FAQ](https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/)
- [CERT-Bund advisory (DE)](https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2022/2022-267005-1032.html)
- [CISA advisory](https://www.cisa.gov/uscert/ncas/current-activity/2022/11/01/openssl-releases-security-update)
- [NCSC-NL advisory (NL)](https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0685)
- [OpenSSL pre-notification](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html)
- [OpenSSL release notification](https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html)
- [SANS Internet Storm Center Blogpost](https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208)


## What is OpenSSL and what is it used for?
OpenSSL is a library used for cryptographic purposes, especially in the field of network connections. For example, web servers often use OpenSSL to establish encrypted HTTPS connections. Mail servers and VPN protocols such as OpenVPN also use OpenSSL to establish encrypted communication channels. The library can be found in a broad array of products, including network devices, embedded systems and container images.

## What products are vulnerable?
The vulnerability is present in products using OpenSSL 3.0.0-3.0.6. Products that use OpenSSL 1.0.2 or 1.1.1 are not affected.

Currently no complete overview of vulnerable products is available. Please see [software/README.md](software/README.md) for a list of products that are known to be vulnerable. The list is a work in progress. For more information about specific products, please refer to your supplier.

## The product I use is vulnerable to this issue. What should I do?
For up-to-date information about patches and mitigations, please refer to your product vendor.

## IoCs and Detection
There are currently no known IoCs that indicate exploitation of this vulnerability. IoCs will be shared - when possible - through this repository.
For network detection rules please see [iocs_detection/README.md](iocs_detection/README.md).

## Hall of fame

We would like to thank every single one that provided source information or whom contributed to our GitHub page.

Below we present a very incomplete list of contributants or sources we consider the repository's hall of fame:

* [SANS](https://isc.sans.edu/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192/)
* [SURFcert](https://wiki.surfnet.nl/pages/viewpage.action?pageId=11063492)
* [@jspaans](https://github.com/jspaans91)
* [@robert-scheck](https://github.com/robert-scheck)
* [@RobinFlikkema](https://github.com/RobinFlikkema)
* [@fox-srt](https://github.com/fox-srt)
* [@Royce Williams](https://github.com/roycewilliams)
File Snapshot

 [4.0K]  /data/pocs/b7d9b8e19f967f1c15535a2809c3fb668a0051c3
├── [4.0K]  iocs_detection
│   └── [2.4K]  README.md
├── [1.1K]  LICENSE
├── [3.1K]  README.md
├── [4.0K]  scanning
│   └── [5.2K]  README.md
├── [4.0K]  software
│   ├── [4.5K]  HOWTO.pr-review.md
│   ├── [ 94K]  README.md
│   └── [4.0K]  vendor-statements
│       ├── [ 52K]  FileCap.png
│       ├── [ 28K]  openssl_Barracuda-Email-Secure-Gateway.png
│       ├── [ 28K]  openssl_Barracuda-Web-Application-Firewall.png
│       ├── [ 22K]  openssl_Barracuda-Web-Secure-Gateway.png
│       ├── [228K]  openssl_paessler_prtg.jpg
│       ├── [126K]  openssl_queencreek.png
│       └── [ 68K]  openssl_redgate_all.png
└── [119K]  spooky.png

4 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →