PAN-SA-2022-0006 Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602
Description
The OpenSSL Project has published two high severity vulnerabilities CVE-2022-3786 and CVE-2022-3602 that affect OpenSSL versions 3.0.0 through 3.0.6 on November 1st, 2022.
The Palo Alto Networks Product Security Assurance team has evaluated and confirmed that all products and services are not impacted by these vulnerabilities.
| CVE | Summary |
|---|---|
| CVE-2022-3786 | A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. |
| CVE-2022-3602 | A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6). |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| WildFire Cloud | None | All |
| WildFire Appliance (WF-500) | None | All |
| User-ID Agent | None | All |
| SaaS Security | None | All |
| Prisma SD-WAN ION | None | All |
| Prisma SD-WAN (CloudGenix) | None | All |
| Prisma Cloud Compute | None | All |
| Prisma Cloud | None | All |
| Prisma Access | None | All |
| PAN-OS | None | All |
| Palo Alto Networks App for Splunk | None | All |
| Okyo Garde | None | All |
| IoT Security | None | All |
| GlobalProtect App | None | All |
| Expedition Migration Tool | None | All |
| Expanse | None | All |
| Exact Data Matching CLI | None | All |
| Enterprise Data Loss Prevention | None | All |
| Cortex XSOAR | None | All |
| Cortex Xpanse | None | All |
| Cortex XDR Agent | None | All |
| Cortex XDR | None | All |
| Cortex Data Lake | None | All |
| Cloud NGFW | None | All |
| Bridgecrew | None | All |
| AutoFocus | None | All |
Severity: NONE, Suggested Urgency: N/A
CVSS-B: 0.0 (CVSS:4.0/AV:P/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.
Solution
No software updates are required at this time.
NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1 contain an affected version of the OpenSSL 3.0 library but are not impacted. There are no scenarios in Cortex XDR Broker VM software that enable successful exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed from Cortex XDR Broker VM 17.4.1 and later versions for security assurance.
Workarounds and Mitigations
Customers with a Threat Prevention subscription can block known attacks for CVE-2022-3602 by enabling Threat ID 93212 (Applications and Threats content update 8638). This mitigation reduces the risk of exploitation from known exploits.
Frequently Asked Questions
Q. How can I find vulnerable versions of OpenSSL in my environment?
With Prisma Cloud, security teams can prepare to detect and patch vulnerable systems as soon as the fix is available. Prisma Cloud customers can apply controls to address this vulnerability across multiple stages in the application lifecycle, from the code to the cloud.
See https://www.paloaltonetworks.com/blog/prisma-cloud/prepare-openssl-vulnerability/ for more information.