“After the preannouncement and rampant nail biting, the release from OpenSSL today revealed a couple of high severity flaws that are not easy to exploit and only affect a small subset of OpenSSL implementations. CVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities in OpenSSL versions 3.0.0 through 3.0.6. The most likely outcome of successful exploitation is denial of service, but remote code execution is possible if stack overflow protections aren’t in place. Both vulnerabilities have to be triggered after certificate chain signature verification, meaning an attacker would likely need to get their malicious certificate signed.
“Vendors have all sorts of rationales for the way they handle vulnerability disclosures, in this case, OpenSSL pre-announcing the vulnerability before it had completed its investigation meant that it had to adjust its description of the vulnerabilities and those responding to this situation may have unnecessarily burnt out resources. That being said, this is an opportunity for organisations to evaluate their response processes and understand what can be improved. How difficult was it for them to determine which version of OpenSSL they had deployed, or whether any software on which they rely was vulnerable? Were their communication channels mature enough to get correct information to the people who needed it as soon as it was available?” — Claire Tills, Senior Research Engineer, Tenable