It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

OpenSSL Vulnerabilities

  • Last updated on

This article provides information about multiple vulnerabilities disclosed by the OpenSSL organization on 9th Feb 2023. The reported CVEs have various attack vectors and modalities. OpenSSL has released a security update with fixes. An attacker could exploit these vulnerabilities to take over the impacted systems.

OpenSSL is a software library for applications used to secure communications over the internet and is widely used by the majority of internet-facing HTTPS websites.

The following table provides key information about the vulnerabilities.

Table 1: Vulnerabilities and Barracuda Networks Advisory

VulnerabilityCVSS Score / SeverityAffected OpenSSL Firmware VersionBarracuda ADC AffectedBarracuda Networks Advisory
CVE-2023-0286Awaited / High3.0, 1.1.1 and 1.0.2YesSupport-assisted manual patch
CVE-2022-4304Awaited / Moderate3.0, 1.1.1 and 1.0.2YesSupport-assisted manual patch
CVE-2023-0215Awaited / Moderate3.0, 1.1.1 and 1.0.2YesSupport-assisted manual patch
CVE-2022-4450Awaited / Moderate3.0 and 1.1.1YesSupport-assisted manual patch
CVE-2022-4203Awaited / Moderate3.0.0 to 3.0.7NANot applicable
CVE-2023-0216Awaited / Moderate3.0.0 to 3.0.7NANot applicable
CVE-2023-0217Awaited / Moderate3.0.0 to 3.0.7NANot applicable
CVE-2023-0401Awaited / Moderate3.0.0 to 3.0.7NANot applicable

Exploit Description

The following section outlines a brief description of the reported vulnerabilities.

Ensure that you follow the vendor advisory for details and attack modalities.

Table 2: CVEs and Exploit Description

NumberCVEExploit Description
1CVE-2023-0286A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service.
2CVE-2022-4304A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack.
3CVE-2022-4203A flaw was found in Open SSL. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
4CVE-2023-0215A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function.
5CVE-2022-4450A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function.
6CVE-2023-0216A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. This may result in an application crash which could lead to a denial of service.
7CVE-2023-0217A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function, most likely leading to an application crash.
8CVE-2023-0401A NULL pointer vulnerability was found in OpenSSL, which can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data.

Barracuda Load Balancer ADC Mitigation

Applicable for Barracuda Load Balancer ADC 540 and above:

  1. CVE-2023-0286 (High) - Impacts only deployments, using Certificate Revocation Lists feature on ADC.
  2. CVE-2022-4304 (Moderate) - Affects cipher suites that use RSA for key exchange.

Contact Barracuda Networks Technical Support for an assisted resolution.

Barracuda Networks Threat Research Team will update the advisory based on the evolving research data from internal as well as external threat data sources.

Recommendation

As a best practice, users of affected versions should upgrade to the version as per the list published by the vendor. Refer to Table 1 for applicable advisory on respective CVEs.

Vendor Advisory: https://www.openssl.org/news/secadv/20230207.txt

  1. OpenSSL versions 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue.
    1. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
    2. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
    3. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg.
  2. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue.
    1. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
    2. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Related Articles