This dangerous OpenSSL vulnerability can easily be triggered | CVE-2022-2274 Explained

Hussein Nasser · Beginner ·📰 AI News & Updates ·4y ago

Key Takeaways

The video discusses the CVE-2022-2274 OpenSSL vulnerability, a high-severity bug in the RSA implementation for X86_64 CPUs supporting AVX512IFMA instructions, which can cause memory corruption and potentially lead to remote code execution or server crashes.

Full Transcript

a new security vulnerability was introduced in openssl version 3.0.4 titled heap memory corruption with rsa private key operation and this one is really scary right because you can trigger it trigger it really easily because if you have if your cypher suite happened to use an rsa signature just establishing a tls connection with the server right will trigger if the server have 3.0.4 they will have to use their private key to sign the message coming back from the tls server hello right and as a result that will cause the memory corruption that could also cause other possible remote code execution but what what really is nasty is the possible crash of the server i thought this is very interesting i wanted to discuss it let's jump into it so this comes from the open ssl security advisory back on july 5th 2022 heap memory corruption with rsa private key operations cve 2022 2022-2274 severity high and i think i know a lot of um these advisories are a little bit almost everything as high but i think this is and i am sometimes i describe some of them but this one is clearly a high you know especially if you have this particular cpu architecture you know let's jump into it the openness is a 3.0.4 release introduced a serious bug in the rsa implementation for x86 64 cpu supporting the avx 5512 ifma instructions i know this sounds confusing but it's going to be clear i did i didn't know what that was five minutes ago either so don't worry about it this issue makes the rsa implementation with 24 to 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation as a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation or just crash the server i mean the moment you have memory corruption a crash might happen right if you have open ssl four that's that's the first condition right if you have one one one or other stuff 102 you're not affected at all if you have that you're good but if you have zero three zero four that's not enough you should have 304 and you should have a cpu that supports this complex instruction set system which is this avx-512 you might say what is that we're going to come and come and discuss that you see cryptography when you do cryptography and you do public key cryptography you use exponent shells and modulo algorithm all the time and doing this operation in the general purpose cpu you know using uh rest reduce instruction sets you know like using addition and normal multiplication this basic operation can be expensive so intel actually introduced a new uh cpu that supports a specific instruction which i think they call these cpus complex instructions at sisk right so they introduced a baked in instruction that does this complex stuff their rsa that does all of that stuff right you know multiplication modulo power exponents all this fancy stuff the security people look what open ssl 304 did is started consuming uh this instructions that if your cpu supports it that's what they did effectively in this particular issue that's what they did in this particular issue this is the issue where we found the bug but this is where we discovered it the work was let's support this particular cpu right because it's actually much faster to do this operation in a single cp in a single instruction in the cpu instead of doing it i don't know as a multiplication and an exponential and doing everything in sort of a normal multiple instructions make sense so openness started supporting that and they introduced a bug in the process she roya discovered the bug and uh gave a repro case and he says hey i have this particular cpu and this only happens when i have when i have this particular cpu this tells you that and you're a programmer you know that there are multiple code paths that takes place so why didn't this happen on normal cpus because it's a completely different code path in normal cpus we're going to use a completely different module that executes the normal code for exponents and modules right using uh simple instruction sets but open system when it detects there is a cpu of i keep forgetting the name ax v avx 5512 automatically shift into another path and that basically will execute the code and that code apparently it might have been missed to be tested with rsa with version with the bit size 2048 so just think guys how many possible permutation that we need to test on it's massive right so i don't blame the openssl team running into these bugs like every now and then and here's the effects you guys here's the fix that she actually installed the fix and the fix is really interesting because the fixes are just a division problem here where the factor size is was accidentally sent as in in number of bets where it should have been said in this special unit which open ssl uses bnu long and this bnu long is actually kep it depends on the on the word that is being used but it could be 16 32 or 64 bits in size so the fix here is just divide the number of bits by eight make them bytes and divide that number of bytes by the the size of this unit that the open ssl team uses which is bnu long and that gives you the number of bnu longs effectively and that's what you should use that was the bug right so very interesting a single line of code that fixes it right but it it tells you like how can you actually trigger this if you look closely you know in a traditional cipher suite here's an example of a cypher suite you know cypher suites at least in atl it's 1.2 for simplicity it consists of uh what four parts the first part is the key exchange algorithm so this is elliptic curve dfe helmet this is what we use to exchange the key the symmetric key and this is the symmetric key encryption algorithm so this is the guy right and the show the last one is the message digest authentication the message authentication code where we make sure that nobody actually tinkers with the message and this one is the second part which is the signature anything you send back the server uses this algorithm and uses its private key to sign the message that is sent so that when this when the client gets that message it uses the server public key to decrypt to verify the message that it belongs to so the moment you as a client as an attacker you send a tls request with this particular signature telling the server hey server i only support this signa this cipher suite the server will be forced to use this particular as assuming it supports it and it will use its private key and the moment it uses its private key it will go through this code path assuming the server is running on a cpu that supports ax 512 instruction cell that the the the complex instructions that does all this rsa stuff baked into the cpu then immediately you're going to get you're going to run into this problem the server will either crash the client which is the attacker can send a bulk of code that the server might actually accidentally execute causing a remote code execution obviously we didn't see any examples but that's basically the whole explanation of this basic this interesting but what do you guys think about this let me know if your thoughts below i'm gonna see you in the next one you guys stay awesome goodbye

Original Description

We discuss the CVE-2022-2274 OpenSSL Vulnerability. The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. 0:00 Intro 1:00 CVE-2022-2274 3:00 AVX512IFMA CISC 5:00 How the bug works 7:10 How can it be triggered Resources https://www.openssl.org/news/secadv/20220705.txt https://github.com/openssl/openssl/issues/18625 https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/ https://eprint.iacr.org/2018/335 https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345 https://linux.die.net/man/3/bn_internal https://www.microfocus.com/documentation/enterprise-developer/ed60/ES-WIN/GUID-E3960B1E-C42E-4748-A5EB-6E12507C9CD7.html https://www.microcontrollertips.com/risc-vs-cisc-architectures-one-better/ Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon) https://network.husseinnasser.com Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon) https://database.husseinnasser.com Introduction to NGINX (link redirects to udemy with coupon) https://nginx.husseinnasser.com Python on the Backend (link redirects to udemy with coupon) https://python.husseinnasser.com Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join Arabic Software Engineering Channel https://www.youtube.com/channel/UChWZsjdoRvZ0T9QWZOD6UpA 🔥 Members Only Content https://www.youtube.com/playlist?list=UUMO_ML5xP23TOWKUcc-oAE_Eg 🏭 Backend Engineering Videos in Order https://backend.husseinnasser.com 💾 Database Engineering Videos https://www.youtube.com/playlist?list=PLQ
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Hussein Nasser · Hussein Nasser · 0 of 60

← Previous Next →
1 Extending ArcObjects (IGeometry) - 01 - Getting Started
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
2 Extending ArcObjects  (IGeometry) - 02 - The Document, The Map and The Layers
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
3 Channel Update - New Book, New Job, New Videos
Channel Update - New Book, New Job, New Videos
Hussein Nasser
4 Learn Programming with VB.NET - 01 - Getting Started
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
5 Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
6 Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
7 Learn Programming with VB.NET - 04 - User Interface
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
8 Learn Programming with VB.NET - 05 - By Value v. By Reference
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
9 Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
10 Learn Programming with VB.NET - 07 - Conditional Statements
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
11 Learn Programming with VB.NET - 08 - Inheritance
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
12 Learn Programming with VB.NET - 09 - Strategy Design Pattern
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
13 Learn Programming with VB.NET - 10 -  How did I learn programming
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
14 IGeometry 2016 Retrospective - Channel Update
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
15 Javascript by Example - The Vook
Javascript by Example - The Vook
Hussein Nasser
16 Vlog - Keep your servers close and your database closer
Vlog - Keep your servers close and your database closer
Hussein Nasser
17 Vlog - Client/Server Programming Languages
Vlog - Client/Server Programming Languages
Hussein Nasser
18 Javascript By Example L1E01 - Getting Started
Javascript By Example L1E01 - Getting Started
Hussein Nasser
19 Persistent Connections (Pros and Cons)
Persistent Connections (Pros and Cons)
Hussein Nasser
20 Javascript By Example L1E02 - Building the Calculator Interface
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
21 Happy new Year from IGeometry!
Happy new Year from IGeometry!
Hussein Nasser
22 Synchronous v. Asynchronous
Synchronous v. Asynchronous
Hussein Nasser
23 Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
24 Show Your Work. Blog, Vlog, Write, Create and Develop!
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
25 Relational Database Atomicity Explained By Example
Relational Database Atomicity Explained By Example
Hussein Nasser
26 Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
27 What Comes First, User Experience or Software Architecture?
What Comes First, User Experience or Software Architecture?
Hussein Nasser
28 Javascript By Example L1E05 -  Evaluate the Calculator Expressions with eval
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
29 Fastest Way to Learn Programming Language or Technology
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
30 Javascript By Example L1E06 -  Fix Leading Zero Bug with Conditions
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
31 Stateful vs Stateless Applications (Explained by Example)
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
32 Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
33 Advice for New Software Engineers and Developers
Advice for New Software Engineers and Developers
Hussein Nasser
34 Why JSON is so Popular?
Why JSON is so Popular?
Hussein Nasser
35 Building Scalable Software - SLA, HS, VS
Building Scalable Software - SLA, HS, VS
Hussein Nasser
36 Vlog (Istanbul) - Datacenter Proximity
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
37 Should Software Engineers Learn Bleeding-Edge Technologies?
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
38 Do Developers Build Bad User Interfaces/Experience?
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
39 Learn By Doing.
Learn By Doing.
Hussein Nasser
40 I Wrote Bad Front-End Code That Broke Chrome
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
41 My Story
My Story
Hussein Nasser
42 Vlog - Horizontal vs Vertical Scaling
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
43 Can User Experience Help Build Better Rest API?
Can User Experience Help Build Better Rest API?
Hussein Nasser
44 Reverse engineering Instagram in flight mode
Reverse engineering Instagram in flight mode
Hussein Nasser
45 The Benefits of the 3-Tier Architecture (e.g. REST API)
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
46 Stateless v. Stateful Architecture (Podcast)
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
47 The evolution from virtual machines to containers
The evolution from virtual machines to containers
Hussein Nasser
48 Proxy vs. Reverse Proxy (Explained by Example)
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
49 Canary Deployment (Explained by Example)
Canary Deployment (Explained by Example)
Hussein Nasser
50 No Excuses
No Excuses
Hussein Nasser
51 Synchronous vs Asynchronous Applications (Explained by Example)
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
52 What is an Asynchronous service?
What is an Asynchronous service?
Hussein Nasser
53 Difference between Client Polling vs Server Push in Notifications
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
54 Software vs. Hardware AdBlockers (Explained by Example)
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
55 HTTP Caching with E-Tags -  (Explained by Example)
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
56 Simple Object Access Protocol Pros and Cons (Explained by Example)
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
57 Nodejs Express "Hello, World"
Nodejs Express "Hello, World"
Hussein Nasser
58 Reverse Engineering Instagram feed
Reverse Engineering Instagram feed
Hussein Nasser
59 Popup Modal Dialog with Javascript and HTML
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
60 MIME and Media Type sniffing explained and the type of attacks it leads to
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser

The video explains the CVE-2022-2274 OpenSSL vulnerability, its causes, and potential consequences, highlighting the importance of secure coding practices and vulnerability management in maintaining system security.

Key Takeaways
  1. Understand the basics of OpenSSL and RSA implementation
  2. Recognize the potential risks of memory corruption in cryptographic operations
  3. Identify the specific conditions under which the CVE-2022-2274 vulnerability can be triggered
  4. Apply knowledge of cybersecurity principles to develop secure coding practices
💡 The CVE-2022-2274 vulnerability highlights the importance of thorough testing and validation of cryptographic implementations, particularly when leveraging specialized CPU instructions.

Related Reads

📰
Will a Degree Still Matter in the AI Era?
In the AI era, a degree may still open doors, but its value is being reevaluated, making it essential to acquire relevant skills to remain competitive
Medium · AI
📰
Will a Degree Still Matter in the AI Era?
In the AI era, a degree may not be the sole determinant of career success, but it can still open doors and provide foundational knowledge
Medium · Startup
📰
AI Is Not the Enemy of Journalists, but a Test of Journalism’s Integrity
AI is transforming journalism, but its impact depends on the integrity of journalists, who must learn to work with AI tools while maintaining ethical standards
Medium · AI
📰
Apple Sends Letters to Dozens of Former Employees Now at OpenAI
Apple is taking aggressive legal action against former employees now at OpenAI, demanding document preservation and meetings with lawyers, in relation to a recent lawsuit
Daring Fireball

Chapters (5)

Intro
1:00 CVE-2022-2274
3:00 AVX512IFMA CISC
5:00 How the bug works
7:10 How can it be triggered
Up next
What is SaaS Explained with Examples
VLR Software Training
Watch →