CVE-2022-3602 & CVE-2022-3786

Due to a constantly evolving number of vulnerabilities affecting open-source software products, proactive detection of vulnerability exploitation remains one of the most common security use cases according to the latest SOC Primeā€™s Detection as Code Innovation report. At the turn of November 2022, a couple of new vulnerabilities in the OpenSSL software library identified as CVE-2022-3602 and CVE-2022-3786 have recently come into the limelight arresting the attention of cyber defenders. On November 1, 2022, OpenSSL issued a security advisory covering the details of the first security flaw tracked as CVE-2022-3602. The newly discovered vulnerabilities affect the OpenSSL versions from 3.0.0 to 3.0.6 exposing the users of this software to potential exploitation attempts. 

OpenSSL Punycode Vulnerability Exploit Detection Scenarios 

Critical vulnerabilities affecting open-source software products are constantly causing a stir in the cyber threat arena. Hard on the heels of Text4Shell, a RCE vulnerability in Apache Commons Text, cyber defenders are facing new threats to handle related to the newly discovered security flaws in the OpenSSL open-source library and tracked as CVE-2022-3602 and CVE-2022-3786. Datadog Security Labs has recently released in-depth research detailing the potential detection scenarios related to CVE-2022-3602 exploitation attempts. 

Grab a set of Sigma rules to detect the malicious activity potentially associated with CVE-2022-3602 that could result in remote code execution (RCE). All the rule set is based on research by Datadog Security Labs.

The detections are compatible with 24 SIEM, EDR, and XDR technologies and are aligned with the MITRE ATT&CKĀ® framework addressing the Initial Access tactics, Persistence, Command and Control, with Exploit Public-Facing Applications (T1190), Server Software Component (T1505), and Dynamic Resolution (T1637) as the corresponding techniques.

Hit the Explore Detections button to instantly access Sigma rules for CVE-2022-3602, corresponding CTI links, ATT&CK references, and threat hunting ideas.

Explore Detections

CVE-2022-3786 and CVE-2022-3602 Description

OpenSSL is an open-source cryptography library for secure communication based on SSL and TLS protocols. The library version 3 released in September 2021 has been found vulnerable to a couple of newly revealed security bugs known as CVE-2022-3602 and CVE-2022-378. A buffer overrun involving these vulnerabilities can be triggered in a TLS client by establishing a connection to a malicious server. Also, the OpenSSL security flaws can be potentially exploited in a TLS server if the latter requests client authentication and provided that the malicious client successfully connects to the compromised server. The buffer overflow can cause a denial of service and potentially trigger RCE.

The OpenSSL punycode vulnerability CVE-2022-3602 has received a high severity rating according to the dedicated OpenSSL security advisory. The uncovered security flaw exists in the specific OpenSSL function for decoding punycode domain names. Threat actors can potentially exploit the CVE-2022-3602 vulnerability by generating a custom certificate with a punycode in the domain of the email address field.

Although it is currently no publicly available CVE-2022-3602 PoC exploit code, Datadog researchers have come up with their own vulnerable scenario on Windows and offered a PoC DoS exploit that abuses OpenSSL running on Windows. 

As CVE-2022-3786 and CVE-2022-3602 mitigation measures, OpenSLL 3.0 users are recommended to upgrade to OpenSSL version 3.0.7, in which the discovered security flaws are patched.

Stay one step ahead of attackers with curated detection content against any critical threat or any exploitable CVE. Reach 800 rules for current and emerging CVEs to timely identify the risks in your infrastructure. Get 140+ Sigma rules for free or obtain the comprehensive list of relevant detection content via On Demand at https://my.socprime.com/pricing/.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts