Description: CVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities in OpenSSL versions below 3.0.7 that both rely on a maliciously crafted email address in a certificate.
Details: According to the OpenSSL advisory , the vulnerability occurs after certificate verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. In other words, exploitability is significantly limited:
- In the case where a server is the target (a webserver, database server, mail server, etc): The server must first request client authentication as part of a mutual authentication configuration. This is an unusual configuration, and usually specialized to higher-security use cases.
- In the case where a client is the target (web browser, email reader, database connector, etc): The attacker would need to first coerce a vulnerable client to connect to a malicious server. This could be done through impersonation (MitM on the network, hijacking an existing resource, etc) or by providing an incentive for a person to click a link (through phishing, watering holes, etc).
CVSS: not available at the time of writing
Severity: High
CVE: CVE-2022-3786 and CVE-2022-3602
Barracuda Networks: Barracuda CloudGen Firewall and Barracuda CloudGen WAN firmware versions 8.3.0 and higher are vulnerable to the mentioned buffer overflow vulnerabilites.
The respective hotfix for immediate mitigation is available here.