Main Vulnerability Database Exploits ID:8586 - Exploit for Inadequate Encryption Strength in OpenSSL - CVE-2022-3358

ID:8586 - Exploit for Inadequate Encryption Strength in OpenSSL - CVE-2022-3358

Published: November 8, 2022

Vulnerability identifier: #VU68116

Vulnerability risk: Medium

CVE-ID: CVE-2022-3358

CWE-ID: CWE-326

Exploitation vector: Remote access

Vulnerable software:
OpenSSL

Link to public exploit:

https://www.rapid7.com/db/modules/auxiliary/scanner/ssl/ssl_version

Vulnerability description

The vulnerability allows a remote attacker to decrypt traffic.

The vulnerability exists due to an error in openssl implementation when handling legacy custom ciphers with NID_undef passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions. Under certain conditions openssl can fail to select a proper cipher and use NULL instead, which corresponds to sending data in plain text.

Note, applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function.

Remediation

Install updates from vendor's website.

ID:8586 - Exploit for Inadequate Encryption Strength in OpenSSL - CVE-2022-3358

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human