\n\n\n<\/p>\n
\n\n\n<\/p>\n
The two vulnerabilities affect OpenSSL up to version 3.0.6, and they involve a file named punycode.c, which is one of the files that manage the parsing of specific encoding of domain names (known as punycode). <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
With both vulnerabilities, \u201cA buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking\u201d, and they have been classified as CWE-120 by NIST, as a \u201cClassical Buffer Overflow.\u201d <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
Buffer overflows<\/h2>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
Generally, in C language, it is important to securely manage memory buffers to avoid any value written in a buffer from being reused elsewhere in the code and being interpreted with unexpected semantics. It\u2019s worth noting that in C, buffers include strings too! <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
Traditionally, strings are represented as a region of memory containing data terminated with a NULL character. Different string handling methods may rely on this NULL character to determine the length of the string. If a buffer that does not contain a NULL terminator is passed to one of these functions, the function will read past the end of the buffer or will lead to unexpected behaviors, such as buffer overflows. <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
Let\u2019s go through some technical details on the nature of the two OpenSSL vulnerabilities. <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
CVE-2022-3602 <\/h2>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
It is a buffer overflow related to the function ossl_punycode_decode, where there is a check on the size of a buffer for larger-than (>) values but omits the equals-to (=) values out of any check, as seen below. <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
The red highlight is the old version of the ossl_punycode_decode source code (OpenSSL 3.0.6), while the green one is the fixed version (OpenSSL 3.0.7). <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
The check at line 184 was leaving the case \u201c=\u201d unchecked, letting data with the same size of max_out variable to reach the next lines in the program and enter the further part of the function. <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
The fix addresses such a case, by adding the \u201c=\u201d case to the ones that must be excluded with return 0. <\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n
\n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n According to this evidence, the buffer overflow is due to the absence of a proper check against the size of a buffer which EQUALS the maximum, while there are cases defined to address sizes that are larger (return 0) and smaller (just continue). <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Technically, this case is similar to off-by-one vulnerabilities, where an application does not properly manage buffers which are exactly the size of the maximum expected, due to several assumptions on the data structures received in input. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Various assumptions can be done on data structures received in input, and they all deal about trusting the source of such input, in term of its content, its format, and its size; to build secure code, assumptions should be avoided. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Instead, sanitization and validation techniques should be implemented in the code: sanitization is the activity of removing extraneous data from a given input, transforming it into harmless data, compatible with business rules and security policies (e.g. removing special characters from a string before using it as a parameter in SQL); validation, on the other hand, is the activity of checking the content of a given input and rejecting any input that does not comply with application\u2019s constraints (e.g. rejecting any string that is greater or equals to the size of a memory buffer). <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Checkmarx\u2019s Codebashing training platform offers several lessons to teach developers how to write secure code in C, addressing proper methods to manage structures such as buffers, stacks, and heaps, which can help developers avoid introducing vulnerabilities in their code, such as CVE-2022-3602. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n For example, regarding off-by-one, Checkmarx\u2019s gamified platform shows the student a part of vulnerable code and its side effects at runtime, both in memory and interactively: <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n In this scenario, the vulnerable code is robust when the buffer is larger or smaller than the expected size; however, it is not safe when exactly 8 characters are entered. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n t is a buffer overflow related to the function ossl_punycode_decode, which manages several cases of writing characters (chars) to a buffer, before using that buffer in further contexts, such as reading it as a string. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n OpenSSL 3.0.7 introduced the use of this PUSHC macro, to manage operations in buffers properly, as stacks: <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n The macro is then used in place of old 3.0.6 \u201cmemcpy\u201d functions, everywhere it is needed. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Similar to the previous example above, the red highlight is the old version of the ossl_punycode_decode source code (OpenSSL 3.0.6), while the green one is the fixed version (OpenSSL 3.0.7). <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n The change on line 301 manages the absence of the NULL character, which may lead to unexpected behaviors if the just populated stack is used in other contexts (e.g., as a string!). <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Checkmarx SAST has a specific query for C\/C++ Language which is called \u201cImproper_Null_Termination.\u201d It is in the category of Buffer Overflows, and it has High severity. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Its goal is to identify buffers that have not been properly terminated by NULL characters. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n By scanning OpenSSL 3.0.6 with Checkmarx SAST, the punycode file appears in two results related to line 276 and 297 for Improper Null Termination query: <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n The description of the finding at line 276 states: <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \u201cThe buffer <\/em>outptr<\/em><\/strong> in <\/em>openssl-openssl-3.0.6cryptopunycode.c<\/em><\/strong> at <\/em>line 276<\/em><\/strong> does not have a <\/em>null<\/em><\/strong> terminator. Any subsequent operations on this buffer that treat it as a null-terminated string will result in unexpected or dangerous behavior.\u201d<\/em> <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n By scanning OpenSSL 3.0.7 with the same preset, the two vulnerabilities appear as fixed: <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Any application may present vulnerabilities due to the large size of applications, inheritances from older versions, mistakes, or errors. As evident with the recently identified OpenSSL vulnerabilities, even well-maintained and mature applications may present vulnerabilities that could be all but impossible to be identified by a manual review of the code. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n At the same time, the security awareness of developers is a key factor to produce and maintain secure code. <\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n Checkmarx SAST<\/a> and Checkmarx Codebashing<\/a> can help in raising the bar of security in your company and in your developers and security champions. Both solutions are fully integrated into our Checkmarx One\u2122 Application Security Platform. <\/p>\n\n\n\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n \n\n\n<\/p>\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-7.png\")
<\/figure>\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-1-1024x566-1.png\")
<\/figure>\nCVE-2022-3786 <\/h2>\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-2-1.png\")
<\/figure>\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-5-652x1024-1.png\")
<\/figure>\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-3-1.png\")
<\/figure>\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-6-1.png\")
<\/figure>\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/12\/image-4-2.png\")
<\/figure>\nConclusion<\/h2>\n
\nLearn More <\/h2>\n