CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows

On November 1, OpenSSL released a [security advisory](https://www.openssl.org/news/secadv/20221101.txt) describing two high severity vulnerabilities within the OpenSSL library, CVE-2022-3786 and CVE-2022-3602. OpenSSL versions from 3.0.0 - 3.0.6 are vulnerable, with 3.0.7 containing the patch for both vulnerabilities. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. The vulnerability described in CVE-2022-3602 allows an attacker to obtain a 4-byte overflow on the stack by crafting a malicious email address within the attacker-controlled certificate. The overflow will result in a crash (most likely scenario) or potentially remote code execution (much less likely). In CVE-2022-3786, an attacker can achieve a stack overflow of arbitrary length by crafting a malicious email address within the attacker-controlled certificate. Both vulnerabilities are “triggered through X.509 certificate verification, specifically, name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.” **The playbook includes the following tasks:** * Hunting for active processes running OpenSSL vulnerable versions using: * Cortex XDR * Splunk * Azure Sentinel * Cortex Xpanse * Prisma * PANOS **Mitigations:** * OpenSSL official patch More information: [Unit42 Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows](https://unit42.paloaltonetworks.com/openssl-vulnerabilities/) [NCSC-NL - OpenSSL overview Scanning software](https://github.com/NCSC-NL/OpenSSL-2022/tree/main/scanning) Note: This is a beta playbook that lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows · 49 tasks · 8 inputs · 0 outputs

Inputs

  • HuntLinuxOS — Whether to search for relevant OpenSSL 3.x processes on Linux endpoints.
  • HuntWindowsOS — Whether to search for relevant OpenSSL 3.x processes on Windows endpoints.
  • HuntMacOS — Whether to search for relevant OpenSSL 3.x processes on Mac endpoints.
  • SplunkIndex — Splunk index to search. Note that the input value should include the field name as well. e.g. "index=*"
  • SplunkEarliestTime — Splunk earliest time to search.
  • SplunkLatestTime — Splunk latest time to search.
  • PlaybookDescription — The playbook's description.
  • RelatedCVEs — CVE indicators.

Commands used

associateIndicatorsToIncident azure-log-analytics-execute-query closeInvestigation createNewIndicator expanse-get-issues prisma-cloud-config-search redlock-get-rql-response splunk-search xdr-get-endpoints xdr-script-commands-execute

Flowchart

no yes yes yes yes yes yes yes Yes No Yes yes yes yes yes yes Start Start Tag and Link Indicators Tag and Link Indicators Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Check if Cortex XDR - IR is Enabled - IsIntegrationAvailable Check if Cortex XDR - IR ... IsIntegrationAvailable Cortex XDR Hunting Cortex XDR Hunting Retrieve All Windows OS Endpoint IDs - xdr-get-endpoints Retrieve All Windows OS E... xdr-get-endpoints Linux OS Linux OS Windows OS Windows OS Retrieve All Mac OS Endpoint IDs - xdr-get-endpoints Retrieve All Mac OS Endpo... xdr-get-endpoints MacOS MacOS Should hunt for Windows endpoints? Should hunt for Windows e... Should hunt for Linux endpoints? Should hunt for Linux end... Should hunt for Mac endpoints? Should hunt for Mac endpo... Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident SIEM Advanced Hunting SIEM Advanced Hunting Is Azure Log Analytics Enabled? Is Azure Log Analytics En... Hunt for active processes running OpenSSL 3.x - splunk-search Hunt for active processes... splunk-search Is Splunk Enabled? Is Splunk Enabled? Azure Sentinel Azure Sentinel Splunk Splunk Hunt for active processes running OpenSSL 3.x - azure-log-analytics-execute-query Hunt for active processes... azure-log-analytics-execute-q... Install OpenSSL 3.0.7 Install OpenSSL 3.0.7 Mitigation Mitigation Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Download OpenSSL 3.0.7 - HttpV2 Download OpenSSL 3.0.7 HttpV2 Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Cortex Xpanse Cortex Xpanse Is Xpanse enabled? Is Xpanse enabled? Search for possible vulnerable servers using Xpanse - expanse-get-issues Search for possible vulne... expanse-get-issues Review possible vulnerable servers Review possible vulnerabl... Prisma Cloud Prisma Cloud Is Prisma Cloud enabled? Is Prisma Cloud enabled? Search for possible vulnerable servers using Prisma Cloud - redlock-get-rql-response Search for possible vulne... redlock-get-rql-response Review possible vulnerable servers Review possible vulnerabl... Found servers using Xpanse? Found servers using Xpanse? Found servers using Prisma Cloud? Found servers using Prism... Identify Potentially Vulnerable Hosts Identify Potentially Vuln... PANOS PANOS Panorama Query Logs - Panorama Query Logs Panorama Query Logs Panorama Query Logs XDR Execute Command - xdr-script-commands-execute XDR Execute Command xdr-script-commands-execute XDR Execute Command - xdr-script-commands-execute XDR Execute Command xdr-script-commands-execute XDR Execute Command - xdr-script-commands-execute XDR Execute Command xdr-script-commands-execute Retrieve All Linux OS Endpoint IDs - xdr-get-endpoints Retrieve All Linux OS End... xdr-get-endpoints Search for Prisma Cloud Vulnerable Servers - prisma-cloud-config-search Search for Prisma Cloud V... prisma-cloud-config-search