Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services. Any customer action that is required will be highlighted in this blog and our associated Security Update Guides (CVE-2022-3786 Security Update Guide and CVE-2022-3602 Security Update Guide). As a best practice, customers that manage their own environments are encouraged to apply the latest security updates from OpenSSL. Customers are strongly encouraged to view the Security Update Guide to review any actions that they may need to take.
OpenSSL version 3.0.7 became generally available on November 1st, 2022 and OpenSSL downgraded CVE-2022-3602 from critical to high severity rating. OpenSSL 3.0.7 addresses two vulnerabilities (CVE-2022-3786 and CVE-2022-3602) that have Denial of Service impact for systems that perform certificate validation. An attacker could send a maliciously crafted certificate to a client or server that parses certificates as part of authentication resulting in a crash. At this time the vulnerability does not appear to reliably allow Remote Code Execution and is not known to be under attack.
The Denial of Service (DoS) vulnerability stems from a pair of buffer overflows which can be triggered in name constraint checking when OpenSSL does X.509 certificate validation. The buffer overflows occur after certificate chain validation and would require a Certificate Authority to have signed a malicious certificate – which is not unlikely – or for an application to continue certificate validation in spite of a failure to construct a certificate chain to a trusted issuer.
To exploit the vulnerabilities an attacker can craft a malicious email address in the X.509 certificate to cause an overflow on the stack. This could result in a crash and cause a Denial of Service.
This impacts both TLS clients and servers. For a client, the vulnerability could be triggered by connecting to a malicious server. For a server, it can be triggered if the server requests client certificate authentication and a client with a maliciously configured certificate connects to the server.
The only known mitigation is to upgrade to OpenSSL version 3.0.7.
Microsoft is taking action to update its product and services utilizing impacted OpenSSL 3.0 - 3.0.6.
We encourage our customers using impacted versions of OpenSSL to upgrade to OpenSSL version 3.0.7. See Microsoft Security Update Guides (CVE-2022-3786 Security Update Guide and CVE-2022-3602 Security Update Guide) for the list of Microsoft products and services that have a dependency on OpenSSL 3.0 - 3.0.6, that customers need to take action to update.