The OpenSSL Project team has published an official advisory on the X.509 email address buffer overflow vulnerabilities assigned as CVE-2022-3602 and CVE-2022-3786. Before this announcement, there was a growing concern over these vulnerabilities as many pieces of commercial software, including those deployed in connected cars, use OpenSSL to secure network communications.
What to know and do about the OpenSSL vulnerabilities
CVE-2022-3602 is a 4-byte buffer overflow that can be triggered when verifying TLS (X.509) certificates. If exploited, it could result in a crash or a remote code execution (RCE).
Meanwhile, CVE-2022-3786 is an arbitrary-length stack-buffer overflow that can be triggered when verifying TLS (X.509) certificates. If exploited, it could trigger a denial-of-service (DoS) state.
The two vulnerabilities have been confirmed to affect only OpenSSL versions 3.0.0 through 3.0.6. Users are encouraged to upgrade to 3.0.7, which contains the patch for both, as soon as possible. Developers working on new applications are also advised to use the latest version.
Since the announcement of the fix, CVE-2022-3602 has been downgraded to being a high-rated vulnerability from its previous critical rating. According to the OpenSSL blog, its potential for RCE is no longer considered likely in common situations. At present, the risk might already be mitigated by the existing stack layout protection in most modern platforms.
More details and updated information on the OpenSSL vulnerability can be found on Trend Micro’s blog entry.
How automotive OEMs can mitigate this issue
Since the answer to OpenSSL’s latest security issue, Version 3.0.0, was released only in September 2021, it is possible that many applications are still running older versions without the aforementioned flaws. Recent OpenSSL vulnerabilities also do not seem to be as severe as the Heartbleed bug, which wreaked havoc on systems meant to be protected by OpenSSL’s SSL/TLS encryption.
Nonetheless, OEMs and software vendors that use OpenSSL to generate encryption keys, create CSRs, and install SSL/TLS certificates should still scan their systems to identify internal applications using the affected versions. VicOne’s existing OEM customers and suppliers can easily do this by uploading their software and firmware packages to the xZETA platform.
Figure 1. An xZETA report identifying vulnerabilities, including the recent OpenSSL flaws CVE-2022-3602 and CVE-2022-3786, in an automotive-grade open-source operating system
VicOne’s xZETA platform can automatically generate a software bill of materials (SBOM) and report any vulnerable packages. Its vulnerability report can then be used to check for possible solutions and mitigation to resolve any detected OpenSSL vulnerabilities.
Aside from software updates, VicOne recommends a more comprehensive automotive cybersecurity strategy to better protect today’s connected vehicles from similar vulnerabilities in the future.
As a Trend Micro subsidiary, VicOne leverages the cybersecurity leader’s over 30 years of industry expertise and offers the following solutions:
- xNexus, an extended detection and response (XDR) platform for vehicle security operations centers (VSOCs), can help build awareness mechanisms and early warning for incoming attacks.
- xCarbon, an intrusion detection and prevention system (IDPS) for electronic control units (ECUs), provides superior detection and protection in vehicles, allowing VSOCs to quickly understand the nature of a potential attack.
- xZETA allows OEMs to scan vendors’ firmware on multiple levels and effectively reduces the attack surface from the beginning.
- xScope is a penetration-testing service that conducts a deep assessment of an entire vehicle to identify vulnerabilities and provide recommendations.
To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.