ISN 2022-06: OpenSSL Denial of Service

First published 21st March 2022

CVSS 3.1 Base Score: 7.5 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

A vulnerability has been found in the OpenSSL cryptography library. This affects the following IGEL products:

• IGEL OS 11
• IGEL OS 10

Details

It has been discovered that OpenSSL can run into an infinite loop when parsing a TLS certificate or key that has invalid explicit elliptic curve parameters (CVE-2022-0778). An attacker could use a crafted and self-signed certificate to cause a denial of service in OpenSSL and consequently in applications that use OpenSSL.

Mitigation

The attack relies on a TLS server certificate crafted by an attacker. Until the security fix is available, only connect to servers under control of your own organization or a trusted party.

Update Instructions

• IGEL OS 11: Update to IGEL OS 11.07.100 (to be released on March 29th)
• IGEL OS 10: Upgrade to IGEL OS 11.07.100 (to be released on March 29th)

References

• OpenSSL Security Advisory - Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778): https://www.openssl.org/news/secadv/20220315.txt
• CVE-2022-0778: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778