CVE-2022-3786
X.509 Email Address Variable Length Buffer Overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
Puede activarse una saturación del búfer en la verificación del certificado X.509, específicamente en la verificación de restricciones del nombre. Tenga en cuenta que esto ocurre después de la verificación de la firma de la cadena de certificados y requiere que una CA haya firmado un certificado malicioso o que la aplicación continúe con la verificación del certificado a pesar de no poder construir una ruta hacia un emisor confiable. Un atacante puede crear una dirección de correo electrónico maliciosa en un certificado para desbordar una cantidad arbitraria de bytes que contengan el carácter "." (decimal 46) en la pila de memoria. Este desbordamiento del búfer podría provocar un bloqueo (provocando una denegación de servicio). En un cliente TLS, esto se puede desencadenar conectándose a un servidor malicioso. En un servidor TLS, esto puede activarse si el servidor solicita la autenticación del cliente y se conecta un cliente malicioso.
A stack-based buffer overflow was found in the way OpenSSL processes X.509 certificates with a specially crafted email address field. This issue could cause a server or a client application compiled with OpenSSL to crash or possibly execute remote code when trying to process the malicious certificate.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-11-01 CVE Reserved
- 2022-11-01 CVE Published
- 2022-11-09 First Exploit
- 2024-05-24 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-193: Off-by-one Error
CAPEC
References (6)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786 | 2022-11-09 |
| URL | Date | SRC |
|---|---|---|
| https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://www.openssl.org/news/secadv/20221101.txt | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2022-3786 | 2022-11-02 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2139104 | 2022-11-02 | |
| https://access.redhat.com/security/vulnerabilities/RHSB-2022-004 | 2022-11-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 3.0.0 < 3.0.7 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 < 3.0.7" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 18.0.0 < 18.11.0 Search vendor "Nodejs" for product "Node.js" and version " >= 18.0.0 < 18.11.0" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | 18.12.0 Search vendor "Nodejs" for product "Node.js" and version "18.12.0" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | 19.0.0 Search vendor "Nodejs" for product "Node.js" and version "19.0.0" | - |
Affected
| ||||||