OpenSSL Infinite loop when parsing certificates CVE-2022-0778

Micah · April 2022

A vulnerability CVE-2022-0778 was found in OpenSSL that allows to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate leads to a DoS (Denial of service) attack.

SonicWall is investigating its product line to determine which products and cloud services may be affected by this vulnerability.

Learn more at https://www.sonicwall.com/support/notices/security-notice-openssl-infinite-loop-when-parsing-certificates-cve-2022-0778/220412121029153/

Micah · April 2022

The notice has been updated recently. Learn more at https://www.sonicwall.com/support/notices/security-notice-openssl-infinite-loop-when-parsing-certificates-cve-2022-0778/220412121029153/

BWC · April 2022

Firmware 10.0.17 for Email Security got released, fixing CVE-2022-0778, PSIRT still shows it as "Under review" but it might be affected after all.

--Michael@BWC

BWC · April 2022

Firmware 6.5.4.10 for Gen6 Appliances is getting rolled out, the Release Notes mentioned CVE-2022-0778 for that. Still no Update on PSIRT.

--Michael@BWC

BWC · April 2022

@Micah you might tell the PSIRT guys to edit the Security Advisory, because it lists the supposed to be fixed Firmwares as affected which might cause confusion to the endusers. Hopefully the SMA 100 fix will be quick.