Full Report
The openSSL component, versions 3.0.0 through 3.0.6, contains two buffer overflow vulnerabilities (CVE-2022-3602, CVE-2022-3786) in the X.509 certificate verification [0]. They could allow an attacker to create a denial of service condition or execute arbitrary code on a vulnerable TLS server (if the server requests client certificate authentication), or on a vulnerable TLS client. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. [0] https://www.openssl.org/news/secadv/20221101.txt
Analysis Summary
# Vulnerability: OpenSSL X.509 Buffer Overflows (CVE-2022-3602, CVE-2022-3786)
## CVE Details
- CVE ID: CVE-2022-3602, CVE-2022-3786
- CVSS Score: 7.5 (High) (Based on the provided description citing AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
## Affected Systems
- Products: OpenSSL component, affecting various Siemens products including Calibre ICE, Mcenter (SINUMERIK Integrate), SCALANCE X switches, SICAM GridPass, and SIMATIC RTLS Locating Manager (when using vulnerable OpenSSL versions).
- Versions: OpenSSL versions 3.0.0 through 3.0.6.
- Configurations: The impact requires specific configurations:
1. **TLS Server Impact:** Requires the server to request client certificate authentication.
2. **TLS Client Impact:** Triggered when connecting to a malicious server.
## Vulnerability Description
Two distinct buffer overflow vulnerabilities exist in the X.509 certificate verification logic, specifically within name constraint checking. This checking occurs after certificate chain signature verification.
1. **CVE-2022-3602:** An attacker crafts a malicious email address in a certificate to overflow four attacker-controlled bytes on the stack. This could lead to Denial of Service (DoS) or potentially Remote Code Execution (RCE).
2. **CVE-2022-3786:** An attacker crafts a malicious email address in a certificate to overflow an arbitrary number of bytes containing the '.' character on the stack, primarily resulting in a crash (DoS).
## Exploitation
- Status: PoC generally available (Implied by the severity and vendor advisories for these widely known OpenSSL flaws).
- Complexity: Low (Attack Vector: Network)
- Attack Vector: Network
## Impact
- Confidentiality: No direct impact noted (C:N)
- Integrity: No direct impact noted (I:N, though RCE potential in CVE-2022-3602 could lead to Integrity compromise)
- Availability: High (A:H) - Can cause a denial of service condition (crash).
## Remediation
### Patches
- **OpenSSL Fixed Version:** OpenSSL 3.0.7 and later versions fix these issues.
- **Siemens Product Updates (Examples provided in context, may vary):**
- Calibre ICE: Update to V2.13.0.3 or later.
- Specific updates are available for various Siemens products; refer to SSA-408105 for all product-specific fixed versions.
### Workarounds
Customers should implement the following specific mitigations where updates are unavailable or pending:
1. **For vulnerable TLS Clients:** If configurable, ensure TLS server certificate verification is turned on, and **do not** configure trust for CA certificates that contain a `nameConstraint-extension` using punycode-encoded internationalized domain names.
2. **For vulnerable TLS Servers (with client authentication enabled):** **Do not** configure trust for CA certificates that contain a `nameConstraint-extension` using punycode-encoded internationalized domain names.
## Detection
- **Indicators of Compromise:** Crashes or unexpected termination of TLS services/clients during certificate negotiation or validation when connecting to untrusted or suspicious external entities.
- **Detection methods and tools:** Network monitoring to detect unusual certificate structures exchanged during TLS handshakes, though specific detection requires deep packet inspection capabilities focused on X.509 fields.
## References
- Vendor Advisory: SSA-408105 (Siemens)
- OpenSSL Security Advisory: hxxps://www.openssl.org/news/secadv/20221101.txt