SNS: Dos due to OpenSSL certificate handling vulnerability (CVE-2022-0778)

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2022-008 CVE-2022-0778 03/16/2022 high v1

Vulnerability details

Risk of DoS on SNS services due to OpenSSL certificate handling vulnerability

Impacted products

ProductsSeverityDetail
Stormshield Network Security high SNS is impacted

Revisions

Version Date Description
v1 04/06/2022 Initial release

 



Stormshield Network Security

CVSS v3.1 Overall Score: 8.4      

Analysis

Impacted version

An attacker could exploit this vulnerability via forged certificate making services using SSL (VPNSSL, proxy , …) loop forever.

SNS may mitigate this vulnerability by restarting frozen services but the attacker will still be able to freeze them again.
  • SNS 2.7.0 to 2.7.9
  • SNS 3.7.0 to 3.7.26
  • SNS 3.11.0 to 3.11.14
  • SNS 4.2.0 to 4.2.10
  • SNS 4.3.0 to 4.3.6

Workaround solution

Solution

There is no workaround solution.

The following versions fix this vulnerability:

  • 2.7.10
  • 3.7.27
  • 3.11.15
  • 4.2.11
  • 4.3.7


Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Network Low None None Unchanged None None High
CVSS Base score: 7.5 CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Exploit Code Maturity Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 6.7 CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Confidentiality Requirement (CR) Integrity Requirement (IR) Availability Requirement (AR)
High High High
CVSS Environmental score: 8.4 CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)