Recently, OpenSSL Update found two bugs in its Service. Also, the RSA Keys Operation has a High-Severity Vulnerability. Attacking these vulnerabilities can lead to Remote Code Execution Attacks, which can be too dangerous.
According to the sources…
A high-severity heap memory corruption exposure feigned the OpenSSL 3.0.4. The bugs were hidden inside the RSA “implementation for the X86_64 CPU that supports the AVX512IFMA instructions. While explaining the impact of this flaw (CVE-2022-2274, the thing that came into the spotlight was:
“Issues such as this make the RSA implementation with the 2048-bit private keys incorrect on such machines. During the computation, memory corruption will be going to happen. The result of this memory corruption will be – The attacker could perform a computation while targeting remote code execution on the machine”.
|Note: This vulnerability usually exists only with OpenSSL 3.0.4. It would never affect other versions that are 1.1.1 and 1.0.2.
This is briefly explained in the advisory that the perfect testing of OpenSSL on Weak Software will be going to fail. It is like something that should be noted down before distribution.
Apart from that, by utilizing AES-NI assembly optimized installation, vendors found a moderate-severity bug (CVE-2022-2097) in the AES OCB mode for 32-bit x 86 Platforms. In a few cases, this installation would fail to encrypt the data partially, which makes applying an OpenSSL Encryption worthless.
Due to that, the weakness will cause the data to be exposed in plaintext. The Data of size 16 Byte could be exposed that was existing in the memory beforehand but wasn’t written previously. In the rare chance of “in-place” encryption, the 16-byte plaintext could be revealed.
Well, it’s a serious issue, since OpenSSL doesn’t support OCB-based cipher, it won’t affect TLS and DTLS.
Updates are Available | Boot up Yours
On 15 June 2022, this bug (CVE-2022-2097) was first discovered by Mr. Alex Chenyavkovsky from Google. He got that the bug was affecting the OpenSSL versions 1.1.1 and 3.0.
Elsewhere, Mr. Xi Ruoyao found this bug on 22 June 2022, and just after that proposed a fix for it.
In the end, both exposures got their fixes that OpenSSL 3.0.5. Other than that, users that are utilizing version 1.1.1 are suggested here to upgrade the version to version 1.1.1q.
Of the different applications, to secure communications OpenSSL is the most trusted by users Globally. If we talk about an example, then to encrypt the device communication on a website it is installed in the HTTPS System. To secure web servers, users install Open-source SSL and TLS Protocols.
Kindly read more articles :