OpenSSL Infinite loop when parsing certificates CVE-2022-0778
Micah
SonicWall Employee
in Water Cooler
A vulnerability CVE-2022-0778 was found in OpenSSL that allows to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate leads to a DoS (Denial of service) attack.
SonicWall is investigating its product line to determine which products and cloud services may be affected by this vulnerability.
Category: Water Cooler
@micah - SonicWall's Self-Service Sr. Manager
0
Comments
The notice has been updated recently. Learn more at https://www.sonicwall.com/support/notices/security-notice-openssl-infinite-loop-when-parsing-certificates-cve-2022-0778/220412121029153/
@micah - SonicWall's Self-Service Sr. Manager
Firmware 10.0.17 for Email Security got released, fixing CVE-2022-0778, PSIRT still shows it as "Under review" but it might be affected after all.
--Michael@BWC
Firmware 6.5.4.10 for Gen6 Appliances is getting rolled out, the Release Notes mentioned CVE-2022-0778 for that. Still no Update on PSIRT.
--Michael@BWC
@Micah you might tell the PSIRT guys to edit the Security Advisory, because it lists the supposed to be fixed Firmwares as affected which might cause confusion to the endusers. Hopefully the SMA 100 fix will be quick.
--Michael@BWC
Fixed! Thank you, Michael. As of this comment the Gen 7 fix is SonicOS 7.0.1-5052. Sorry for any confusion.
Also, the notice has been updated. Learn more at https://www.sonicwall.com/support/notices/security-notice-openssl-infinite-loop-when-parsing-certificates-cve-2022-0778/220412121029153/
@micah - SonicWall's Self-Service Sr. Manager
New Firmwares for SMA 100 Series are available now, 10.2.1.5 and 10.2.0.10 are ready to download on MSW.
--Michael@BWC
Hey anyone already tried GEN6 Version 6.5.4.10.95?
Or does anyone know if there a some issues with this Version?
@Chojin I have 6.5.4.10 on a bunch of appliances in the field already and wasn't experiencing any new issues.
--Michael@BWC