Patch Tuesday November 2022 – Microsoft Fixes Two Zero-Day OpenSSL Vulnerabilities
Fake SSL Certificates Can Trigger Buffer Overflow Denial-of-Service.
As part of the November patching bout, Microsoft has released two improvement-carrying packages that aim to fix two known OpenSSL vulnerabilities. Both addressed issues have been identified some time ago, but with no exploitability indications. Aside from the two zero-day bugs, Microsoft will also be releasing miscellaneous fixes and improvements for various applications.
Patch Tuesday November – Highlights
November’s first highlight is CVE-2022-3786, aka OpenSSL: X.509 certificate verification buffer overrun. As its name suggests, CVE-2022-3786 is a buffer overflow defect that could potentially allow a threat actor to stage a Denial-of-Service attack. According to MITRE, this vulnerability can only be leveraged if certain conditions are met. First of all, the threat actor must craft an X.509 verification certificate which will be passed to the targeted application. The second step would be in-app certificate verification. At this stage, the certificate can either pass if it bears the legit digital signature of CA (i.e., Certificate Authority) or trigger a ‘failure to construct patch to trusted issuer’ error.
In the latter case, the targeted application will continue to verify the certificate’s validity despite the returned error. The next attack step involves the threat actor appending an email address to a malicious X.509b certificate. This annexed addressed will act as the trigger for the vulnerability.
Passing the certificate with the appended address will cause the application to overflow a random of bytes (i.e., only bytes containing a special character). This chain will inevitably crash the application. The issue has been fixed, with a patch available on Microsoft’s official website. CVE-2022-3602, the second zero-day vulnerability fixed in November, shares the same technical characteristics as CVE-2022-3786.
Both zero-days can also affect TLS-type connections. The same MITRE entry that detailed CVE-2022-3786 mentions that in the case of a TLS server-client connection, the server itself can become compromised when a threat actor responds to the client authentication request. This issue was also addressed as part of Patch Tuesday November.
Additional Cybersecurity Advice and Conclusion
This concludes the November edition of our Patch Tuesday series. Hope you’ve enjoyed it. Before I go, I’m going to share with you some tips that will help improve your overall cybersecurity posture and, of course, safeguard your digital assets against CVE-2022-3786, CVE-2022-3602, and similar vulnerabilities.
- Automatic patching. Smaller organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. While repetition is the mother of learning (good habits), this method may prove to be utterly useless when you find yourself in the boots of an enterprise IT admin. There may be no cure for the common cold, but automatic patching can definitely make your life a lot easier. More than that, if configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.
- Certificate validation rail guards. Usually, certificate validation happens quietly in the background during the handshake phase. However, if the fake certificate is good enough, it can pass the ‘bar exam’ with flying colors. If you believe that your company might be vulnerable to this type of attack, you should consider employing an alternative certificate validation method. You can find many free-to-use or pay-to-play SSL certificate checkers online. Have a look-see at this list to see if anything catches your eye.
- Patching prowess. Even with automatic patching in place, you’re still the one holding the stick and it’s your job to see that all of them are deployed correctly and on time. If you’re managing a team, consider drafting up a list of patching protocols. Include dates, times, Operating Systems, tests, and everything you can think of.
- Patch Tuesday, September 2022.
- CVE-2022-30190 Enables Remote Code Execution
- What Is an Attack Surface in Cybersecurity?