If you are an OpenSSL user, you are probably aware of the recent high-profile bugfix release, which came back in March 2022.
This fix came with our OpenSSS 3.0.2 And 1.1.1nUpdates for two current full-supported flavors of the product.
(There’s a legacy version here, 1.0.2, but updates to that version are only available to customers who pay for premium support, and in terms of product changes and improvements from day 1.0.2, we’re asking you to move on to the mainstream version – maybe even special – If you plan to continue paying for support.)
The March 2022 update was an important reminder that deeply buried code with unusual bugs could be neglected year after year, especially if that code is part of a complex, specialized, low-level function.
Bug fixes are then used to compute what is known as a special-purpose algorithm Modular square rootWhich is more complicated to calculate than regular square roots.
Unfortunately, the code to perform this calculation using an algorithm first invented in the 1890s was unrealistically coded, obscenely written, bad comments, and difficult to follow.
However, this was not an explicit “externally-oriented” part of OpenSSL, and it would be a difficult task to rewrite. When confronted with input, it is not searched for consistency.
Because, when confronted with digital certificates that were booby-trapped to create uncategorized numbers, OpenSSL’s BN_mod_sqrt()
The function may be tricked into looping forever, trying to close an answer that did not exist.
When you only work with integers and reject any kind of fraction, you see that many numbers do not have modular square roots, just as you see that many integers do not have regular square roots. Thus 7 × 7 = 49, so 49 has a square root which is a whole number, i.e. 7. But there is no integer that can automatically multiply by 50 or 51, because the next “perfect square” is 8 × 8 = 64. You can try as long as you want, but you will never get an integer answer for 151 No.
In fact never wrong, just incomplete
In other words, though, OpenSSL’s BigNumber code (many encryption algorithms never rely on working with numbers that number in the hundreds or even thousands) Wrong The answer is, it sometimes doesn’t realize that there is no answer to be found, and will be stuck in an infinite loop.
This infinite loop, which is known as a key can be misused to provoke Refuse to serve Attack (DoS), can be triggered if a brutal website is sent across a booby-trapped digital certificate.
This means, ironically, that software that was prudent about digital certificate verification can be dubbed through this bug. CVE-2022-0778While programs that do not bother at all with the validity of the certificate are not affected by it.
Given the important “educational moments” published by this bug, we’ve covered it in detail not only in Naked Security, where we explained how to write better style code, but also in Sophos News, where SophosLabs showed a horrible account of how to trigger a booby-trapped certificate error. Could, and How to debug code to understand bugs.
In the meantime, two more security holes
The next was the OpenSSL update 3.0.3Or 1.1.1o For users of previous releases, which patched a bug that was not considered a major bug (at least, we did not cover it in Naked Security), it was mainly because the bug was not in the OpenSSL encryption library code.
Instead of affecting all software that relies on OpenSSL as a cryptographic provider, CVE-2022-1292 Only a utility script written in Perle has been affected, which came with the OpenSSL toolkit.
This script, known as c_rehash
(Too small Certificate directory rehash) Is a little-known tool that takes a directory of cryptographic certificate files, such as those maintained by Mozilla as Trusted Certificate Authority (CAs), and creates a list of file hashes that can help software find specific certificates faster than searching. Alphabetical list of names.
For example, Mozilla’s CA Certificate Directory looks like this.
$ ls -l /usr/share/ca-certificates/mozilla -rw-r--r-- 1 duck duck 2772 2022-06-23 05:32 ACCVRAIZ1.crt -rw-r--r-- 1 duck duck 1972 2022-06-23 05:32 AC_RAIZ_FNMT-RCM.crt -rw-r--r-- 1 duck duck 904 2022-06-23 05:32 AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt [. . .] -rw-r--r-- 1 duck duck 1302 2022-06-23 05:32 emSign_Root_CA_-_G1.crt -rw-r--r-- 1 duck duck 774 2022-06-23 05:32 vTrus_ECC_Root_CA.crt -rw-r--r-- 1 duck duck 1911 2022-06-23 05:32 vTrus_Root_CA.crt
সময় OpenSSL time c_rehash
The script creates a list of symbolic links that allow individual certificates to be hashed in the certificate based on the issuer’s name instead of its file name:
lrwxrwxrwx 1 duck duck 23 2022-06-24 13:41 002c0b4f.0 -> GlobalSign_Root_R46.crt lrwxrwxrwx 1 duck duck 45 2022-06-24 13:41 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.crt lrwxrwxrwx 1 duck duck 36 2022-06-24 13:41 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.crt [. . .] lrwxrwxrwx 1 duck duck 19 2022-06-24 13:41 fe8a2cd8.0 -> SZAFIR_ROOT_CA2.crt lrwxrwxrwx 1 duck duck 23 2022-06-24 13:41 feffd413.0 -> GlobalSign_Root_E46.crt lrwxrwxrwx 1 duck duck 49 2022-06-24 13:41 ff34af3f.0 -> TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
Some software relies on these “hash links” to act as a kind of basic database system for indexing and searching for specific certificates.
In addition, some operating systems invite distros automatically c_rehash
Script in the background to keep these special-purpose links up to date.
Shell metacarectors are considered harmful
Unfortunately, the script depends on Perl system()
Function (or an equivalent command) to calculate file hash, and system()
The system automatically launches a command shell, such as Bash, to launch any necessary subprograms.
And, as you probably know, command shells don’t always use their command-line arguments literally, so if you put special characters in those arguments, the shell manages them in potentially dangerous ways.
For example, command echo runthis
Literally prints text runthis
But the order echo $(runthis)
Characters do not print out directly $(runthis)
.
Instead, the so-called MetaCommand $(runthis)
I mean Command replacementSo it says, “Run the command runthis
And replace $(...)
When finished, the part with the output of that command “:
# argument treated literally, no metacharacters found $ echo runthis runthis # tries to execute 'runthis', but no such command exists $ echo $(runthis) -bash: runthis: command not found # runs two commands, collects output of both $ echo $(whoami; uname -s -r) duck Linux 5.18.6
If at risk $(...)
Sounds familiar, because it was a metacommand vulnerability that was exploited in Windows’ recent “Folina” bug. To learn more, and to see that bug live in action, you can check out our recorded webinar. Just click on the image below. [Registration required, access is immedidate thereafter.]
What’s up?
Scripts that receive unsolicited input from someone else – be it a string typed into a web form or the name of a created file provided from the outside – be very careful not to allow these particular metacommands to be leaked as shell arguments when relying on commands Will shell to run external utilities.
Below, you can see the code from which the change was made 1.1.1n Per 1.1.1o:
A Perl command of the form `...`
(A command in Bactics, e.g. `runthis`
Simply an old-fashioned way of writing $(runthis)
Was replaced with a dedicated internal function called command replacement) compute_hash
Which takes more care with the weird meta-characters in the built-in command string.
Well, it turns out that the maintainers could not fully capture all the places in this utility script where an external command was run without proper care and attention.
So this week Saw the release Of OpenSSL 3.0.4 And 1.1.1 pTo fix other risky system commands c_rehash
Utility:
This time, it was a call out cp
(Copy file) via command shell-based system()
Functions that were replaced by a secure, dedicated internal function copy_file
.
This bugfix has an official identifier CVE-2022-2068.
As the OpenSSL changelog warns:
[The
c_rehash
] The script is distributed by some operating systems in such a way that it executes automatically. In this type of operating system, an attacker can execute commands arbitrarily with the benefit of the script.
What do you do?
- Update OpenSSL as soon as possible. If you rely on your Linux distro to handle centrally installed copies, contact your distro manufacturer for details. If you’re relying on your own OpenSSL build (or side by side) instead of system-wide, be sure to update that copy as well. You are looking 3.0.4 Or 1.1.1 p. Invoice
openssl version
See what version you got. - Consider retiring
c_rehash
Utility if you use it. All-in-one utilityopenssl
Which usually used to create and sign certificates in the first place, now includes a built-in subcommandrehash
To do the same. Tryopenssl rehash -help
For more information. - Sanitize your input and output. Never assume that the input you receive is safe to use as it is, and be careful about the data you pass as output to other parts of your code.
- Beware of multiple errors when reviewing code for certain types of bugs. A programmer who was careless
system()
The command in one place of the code made a similar mistake elsewhere.
Programmers often create (or reproduce) similar bugs many times, usually for completely innocent and understandable reasons.
Either they were unaware of this class of bugs while working on the code, or they took a “temporary shortcut” to speed up the prototype work but never came back and tidied up, or they copied and pasted someone else’s faulty code and made it their own. Created …