OpenSSL has released a new version, 3.0.7 that fixes a Critical Vulnerability from openSSL versions 3.0.0 to 3.0.6. Registered users can download the latest openSSL version from the private account.
The vulnerability is a buffer overflow in the X.509 certificate verification, which is the code used to validate TLS certificates. The vulnerability could potentially be exploited to allow remote code execution via a malicious TLS certificate; however, it requires that the malicious TLS certificate be signed by a trusted CA.
Since certificate verification is typically done on the client side, this vulnerability primarily affects clients not servers. There is a case where servers could be exploited via TLS Client Authentication, which may bypass the CA signing requirements as client certs are usually not required to be signed by a trusted CA. Since client authentication is rare ,and most servers do not have it enabled, server exploitation should be low risk.
Attackers could exploit this vulnerability by directing client to a malicious TLS server which uses a specially crafted certificate to trigger the vulnerability.
Versions affected
The vulnerability affects only OpenSSL version 3.0.0 to 3.0.6, with the patch being shipped in version 3.0.7. Due to the fact OpenSSL 3.0.0 was released in September 2021, it is far less widespread than previous versions. Given the very recent release date, older appliances with hardcoded OpenSSL version are unlikely to be vulnerable.