OpenSSL exposed to Denial-of-service vulnerability causing Infinite Loop

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here.

A security flaw exists in OpenSSL software library that could lead to a denial-of-service (DoS) condition when parsing certificates.

The vulnerability, identified as CVE-2022-0778, arises from parsing a malformed certificate with invalid explicit elliptic-curve parameters, resulting in an “infinite loop”. The flaw is in the function BN_mod_sqrt(), which is used to compute the modular square root. Because certificate parsing occurs prior to certificate signature verification, any process that parses an externally supplied certificate may be subject to a denial-of-service attack. As a result, vulnerable situations include:

TLS clients consuming server certificatesTLS servers consuming client certificatesHosting providers taking certificates or private keys from customersCertificate authorities parsing certification requests from subscribersAnything else which parses ASN.1 elliptic curve parameters

The vulnerability is fixed in versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. While, OpenSSL 1.1.0 is also affected, no fix has been released as it has reached end-of-life.

Potential MITRE ATT&CK TTPs are:TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0001: Initial AccessT1190: Exploit Public-Facing ApplicationTA0040: ImpactT1499: Endpoint Denial of ServiceT1499.004: Endpoint Denial of Service: Application or System Exploitation

Vulnerability Details

Patch Link


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox