The maintainers of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates.
Tracked as CVE-2022-0778 (CVSS score: 7.5), the issue stems from parsing a malformed certificate with invalid explicit elliptic-curve parameters, resulting in what's called an "infinite loop." The flaw resides in a function called BN_mod_sqrt() that's used to compute the modular square root.
"Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack," OpenSSL said in an advisory published on March 15, 2022.
"The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters."
While there is no evidence that the vulnerability has been exploited in the wild, there are a few scenarios where it could be weaponized, including when TLS clients (or servers) access a rogue certificate from a malicious server (or client), or when certificate authorities parse certification requests from subscribers.
The vulnerability impacts OpenSSL versions 1.0.2, 1.1.1, and 3.0, the project owners addressed the flaw with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. OpenSSL 1.1.0, while also affected, will not receive a fix as it has reached end-of-life.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Credited with reporting the flaw on February 24, 2022 is Google Project Zero security researcher Tavis Ormandy. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL.
CVE-2022-0778 is also the second OpenSSL vulnerability resolved since the start of the year. On January 28, 2022, the maintainers fixed a moderate-severity flaw (CVE-2021-4160, CVSS score: 5.9) affecting the library's MIPS32 and MIPS64 squaring procedure.