It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

OpenSSL Vulnerabilities

  • Last updated on

This article provides information about multiple vulnerabilities disclosed by the OpenSSL organization on February 9, 2023. The reported CVEs have various attack vectors and modalities. OpenSSL has released a security update with fixes. Attackers can exploit these vulnerabilities to take over the affected systems.

OpenSSL is a software library for applications used to secure communications over the internet and is widely used by the majority of internet-facing HTTPS websites.

The following table provides key information about the vulnerabilities.

Table 1: Vulnerabilities and Barracuda Networks Advisory

VulnerabilityCVSS Score / SeverityAffected OpenSSL Firmware VersionBarracuda WAF AffectedBarracuda Networks Advisory
CVE-2023-0286Awaited / High3.0, 1.1.1 and 1.0.2Yes

Support-assisted:

  • Manual patch
  • Upgrade to the internal firmware
CVE-2022-4304Awaited / Moderate3.0, 1.1.1 and 1.0.2Yes

Support-assisted:

  • Manual patch
  • Upgrade to the internal firmware
CVE-2023-0215Awaited / Moderate3.0, 1.1.1 and 1.0.2Yes

Support-assisted:

  • Manual patch
  • Upgrade to the internal firmware


CVE-2022-4450Awaited / Moderate3.0 and 1.1.1Yes

Support-assisted:

  • Manual patch
  • Upgrade to the internal firmware


CVE-2022-4203Awaited / Moderate3.0.0 to 3.0.7NANot applicable
CVE-2023-0216Awaited / Moderate3.0.0 to 3.0.7NANot applicable
CVE-2023-0217Awaited / Moderate3.0.0 to 3.0.7NANot applicable
CVE-2023-0401Awaited / Moderate3.0.0 to 3.0.7NANot applicable

Exploit Description

The following section outlines a brief description of the reported vulnerabilities.

Ensure that you follow the vendor advisory for details and attack modalities.

Table 2: CVEs and Exploit Description

NumberCVEExploit Description
1CVE-2023-0286A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow attackers to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service.
2CVE-2022-4304A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher-style attack.
3CVE-2022-4203A flaw was found in Open SSL. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name-constraint checking.
4CVE-2023-0215A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function.
5CVE-2022-4450A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function.
6CVE-2023-0216A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. This may result in an application crash that can lead to a denial of service.
7CVE-2023-0217A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function, most likely leading to an application crash.
8CVE-2023-0401A NULL pointer vulnerability was found in OpenSSL, which can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data.

Barracuda WAF Mitigation

  1. CVE-2023-0286 (High) – Affects only deployments using the Certificate Revocation Lists feature on WAF.
  2. CVE-2022-4304 (Moderate) – Affects cipher suites that use RSA for key exchange.

You can choose either of the following options for an assisted resolution from the Barracuda Networks Technical Support:

  • Apply the fix on the existing 12.1.x firmware version.
  • Upgrade firmware to 12.1.0.006 which contains the required fix.

Barracuda Networks Threat Research Team will update the advisory based on the evolving research data from both internal and external threat data sources.

Recommendation

As a best practice, users of affected versions should upgrade to the version as per the list published by the vendor. Refer to Table 1 for applicable advisory on respective CVEs.

Vendor Advisory: https://www.openssl.org/news/secadv/20230207.txt

  1. OpenSSL versions 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue.
    1. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
    2. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
    3. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg.
  2. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue.
    1. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
    2. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Related Articles