In Mid March, OpenSSL released updates to address a high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2022-0778, that affects the BN_mod_sqrt() function used when certificate parsing. The flaw was discovered by the popular Google Project Zero researcher Tavis Ormandy.
An attacker can trigger the vulnerability by crafting a malformed certificate with invalid explicit curve parameters.
“The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” reads the advisory for this flaw. “It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.”
The vulnerability impacts OpenSSL versions 1.0.2, 1.1.1 and 3.0, the maintainers of the project addressed the flaw with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2.
Palo Alto Networks warns that an attacker can trigger the vulnerability to cause the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a DoS condition.
“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” states Palo Alto Network.
The company is expected to release security fixes for the above vulnerability during the week of April 18.
According to Palo Alto, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a flawed version of the OpenSSL library, while Prisma Cloud and Cortex XSOAR solutions are not impacted.
Below is the product status shared by Palo Alto Networks:
|Cortex XDR Agent||all|
|PAN-OS 10.2||< 10.2.1||>= 10.2.1|
|PAN-OS 10.1||< 10.1.5-hf||>= 10.1.5-hf|
|PAN-OS 10.0||< 10.0.10||>= 10.0.10|
|PAN-OS 9.1||< 9.1.13-hf||>= 9.1.13-hf|
|PAN-OS 9.0||< 9.0.16-hf||>= 9.0.16-hf|
|PAN-OS 8.1||< 8.1.23||>= 8.1.23|
|Prisma Access 3.0||Preferred, Innovation|
|Prisma Access 2.2||Preferred|
|Prisma Access 2.1||Preferred, Innovation|
“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory.
Waiting for PAN-OS security patches, the vendor states that customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to reduce the risk of exploitation for this issue.
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
(SecurityAffairs – hacking, cybercrime)