CVE-2022-0778

Infinite loop in BN_mod_sqrt() reachable when parsing certificates

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

La función BN_mod_sqrt(), que calcula una raíz cuadrada modular, contiene un error que puede causar un bucle eterno para módulos no primos. Internamente, esta función es usado cuando son analizados certificados que contienen claves públicas de curva elíptica en forma comprimida o parámetros de curva elíptica explícitos con un punto base codificado en forma comprimida. Es posible desencadenar el bucle infinito si es diseñado un certificado con parámetros de curva explícitos no válidos. Dado que el análisis del certificado es realizado antes de la verificación de la firma del certificado, cualquier proceso que analice un certificado suministrado externamente puede ser objeto de un ataque de denegación de servicio. El bucle infinito también puede alcanzarse cuando son analizadas claves privadas diseñadas, ya que pueden contener parámetros explícitos de la curva elíptica. Por lo tanto, las situaciones vulnerables incluyen: - Clientes TLS que consumen certificados de servidor - Servidores TLS que consumen certificados de cliente - Proveedores de hosting que toman certificados o claves privadas de clientes - Autoridades de certificación que analizan peticiones de certificación de suscriptores - Cualquier otra cosa que analice parámetros de curva elíptica ASN.1 También cualquier otra aplicación que utilice BN_mod_sqrt() donde el atacante pueda controlar los valores de los parámetros es vulnerable a este problema de DoS. En OpenSSL versión 1.0.2, la clave pública no es analizada durante el análisis inicial del certificado, lo que dificulta ligeramente la activación del bucle infinito. Sin embargo, cualquier operación que requiera la clave pública del certificado desencadenará el bucle infinito. En particular, el atacante puede usar un certificado autofirmado para desencadenar el bucle durante la verificación de la firma del certificado. Este problema afecta a OpenSSL versiones 1.0.2, 1.1.1 y 3.0. Fue abordado en las versiones 1.1.1n y 3.0.2 del 15 de marzo de 2022. Corregido en OpenSSL versión 3.0.2 (Afectado 3.0.0,3.0.1). Corregido en OpenSSL versión 1.1.1n (Afectado 1.1.1-1.1.1m). Corregido en OpenSSL versión 1.0.2zd (Afectado 1.0.2-1.0.2zc)

A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.

The BN_mod_sqrt() function in OpenSSL versions 1.0.2, 1.1.1, and 3.0, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

*Credits: Tavis Ormandy (Google)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-28 CVE Reserved
2022-03-15 CVE Published
2022-03-29 First Exploit
2024-09-17 CVE Updated
2024-10-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (35)

URL	Tag	Source
http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html	Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/33	Mailing List
http://seclists.org/fulldisclosure/2022/May/35	Mailing List
http://seclists.org/fulldisclosure/2022/May/38	Mailing List
https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf	Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html	Mailing List
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html	Mailing List
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220321-0002	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220429-0005	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006
https://support.apple.com/kb/HT213255	Third Party Advisory
https://support.apple.com/kb/HT213256	Third Party Advisory
https://support.apple.com/kb/HT213257	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory
https://www.tenable.com/security/tns-2022-06	Third Party Advisory
https://www.tenable.com/security/tns-2022-07	Third Party Advisory
https://www.tenable.com/security/tns-2022-08	Third Party Advisory
https://www.tenable.com/security/tns-2022-09	Third Party Advisory

URL	Date	SRC
https://github.com/drago-96/CVE-2022-0778	2022-03-29
https://github.com/jkakavas/CVE-2022-0778-POC	2022-04-18
https://github.com/0xUhaw/CVE-2022-0778	2022-04-22
https://github.com/jeongjunsoo/CVE-2022-0778	2023-10-26

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ	2024-06-21
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6	2024-06-21
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG	2024-06-21
https://security.gentoo.org/glsa/202210-02	2024-06-21
https://www.debian.org/security/2022/dsa-5103	2024-06-21
https://www.openssl.org/news/secadv/20220315.txt	2024-06-21
https://access.redhat.com/security/cve/CVE-2022-0778	2022-06-30
https://bugzilla.redhat.com/show_bug.cgi?id=2062202	2022-06-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	A250 Firmware Search vendor "Netapp" for product "A250 Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	A250 Search vendor "Netapp" for product "A250"	-	-	Safe
Netapp Search vendor "Netapp"	500f Firmware Search vendor "Netapp" for product "500f Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	500f Search vendor "Netapp" for product "500f"	-	-	Safe
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.0.2 < 1.0.2zd Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2zd"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.1.0 < 1.1.1n Search vendor "Openssl" for product "Openssl" and version " >= 1.1.0 < 1.1.1n"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 3.0.0 < 3.0.2 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 < 3.0.2"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Netapp Search vendor "Netapp"		Cloud Volumes Ontap Mediator Search vendor "Netapp" for product "Cloud Volumes Ontap Mediator"				-		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Antivirus Connector Search vendor "Netapp" for product "Clustered Data Ontap Antivirus Connector"				-		-		Affected
Netapp Search vendor "Netapp"		Santricity Smi-s Provider Search vendor "Netapp" for product "Santricity Smi-s Provider"				-		-		Affected
Netapp Search vendor "Netapp"		Storagegrid Search vendor "Netapp" for product "Storagegrid"				-		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Tenable Search vendor "Tenable"		Nessus Search vendor "Tenable" for product "Nessus"				< 8.15.4 Search vendor "Tenable" for product "Nessus" and version " < 8.15.4"		-		Affected
Tenable Search vendor "Tenable"		Nessus Search vendor "Tenable" for product "Nessus"				>= 10.0.0 < 10.1.2 Search vendor "Tenable" for product "Nessus" and version " >= 10.0.0 < 10.1.2"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.2.0 < 10.2.42 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.2.0 < 10.2.42"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.3.0 < 10.3.33 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.3.0 < 10.3.33"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.4.0 < 10.4.23 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.4.0 < 10.4.23"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.5.0 < 10.5.14 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.5.0 < 10.5.14"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.6.0 < 10.6.6 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.6.0 < 10.6.6"		-		Affected
Mariadb Search vendor "Mariadb"		Mariadb Search vendor "Mariadb" for product "Mariadb"				>= 10.7.0 < 10.7.2 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.7.0 < 10.7.2"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 12.0.0 <= 12.12.0 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 <= 12.12.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 12.13.0 < 12.22.11 Search vendor "Nodejs" for product "Node.js" and version " >= 12.13.0 < 12.22.11"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				> 14.0.0 <= 14.14.0 Search vendor "Nodejs" for product "Node.js" and version " > 14.0.0 <= 14.14.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 14.15.0 < 14.19.1 Search vendor "Nodejs" for product "Node.js" and version " >= 14.15.0 < 14.19.1"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				> 16.0.0 <= 16.12.0 Search vendor "Nodejs" for product "Node.js" and version " > 16.0.0 <= 16.12.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 16.13.0 < 16.14.2 Search vendor "Nodejs" for product "Node.js" and version " >= 16.13.0 < 16.14.2"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				> 17.0.0 < 17.7.2 Search vendor "Nodejs" for product "Node.js" and version " > 17.0.0 < 17.7.2"		-		Affected