CVSS: 7.5EPSS: 10%CPEs: 9EXPL: 4CVE-2022-3602 – X.509 Email Address 4-byte Buffer Overflow
https://notcve.org/view.php?id=CVE-2022-3602
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. • https://github.com/colmmacc/CVE-2022-3602 https://github.com/eatscrayon/CVE-2022-3602-poc https://github.com/corelight/CVE-2022-3602 https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786 http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html http://www.openwall.com/lists/oss-security/2022/11/01/15 http://www.openwall.com/lists/oss-security/2022/11/01/16 http://www.openwall.com/lists/oss-security/2022/11/01/17 http://www&# • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-3786 – X.509 Email Address Variable Length Buffer Overflow
https://notcve.org/view.php?id=CVE-2022-3786
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. • https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a https://www.openssl.org/news/secadv/20221101.txt https://access.redhat.com/security/cve/CVE-2022-3786 https://bugzilla.redhat.com/show_bug.cgi?id=2139104 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-193: Off-by-one Error •