The US National Security Agency (NSA) officials have recently discovered a vulnerability in the OpenSSL cryptographic library. This vulnerability can be used to conduct denial-of-service attacks and can be easily weaponized by its potential attackers.
OpenSSL is a popular cryptography library used to encrypt data and verify digital signatures. The bug affects the BN_mod_sqrt() function, which is used to calculate the modular square root and parses certificates that use elliptic curve public key encryption. This vulnerability has been given the identifier CVE-2022-0778.
If an attacker submits a certificate with broken curve parameters, the program will go into an infinite loop and crash. This will cause denial of service.
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,” OpenSSL said in a March 15 security advisory. “The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.”
The bug is in the TLS client and server, but it can also be exploited in other areas, too. It affects OpenSSL versions 1.0.2, 1.1.1, and 3.0; all are subject to the bug. The bug affects TLS clients and servers, but it also affects hosting providers who take certificates or private keys from their customers, authorities that parse certification requests from their subscribers and “anything else that parses ASN.1 elliptic curve parameters.”
The vulnerability received a shout out from the NSA’s top cybersecurity official who warned defenders to patch immediately. This vulnerability is not as severe as it seems, so don’t be fooled by the low severity rating and patch immediately.