OpenSSL issue causing 100% CPU and unresponsive server (CVE-2022-0778)

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

OpenSSL issue causing 100% CPU and unresponsive server (CVE-2022-0778)

Post by Syzop »

Summary
OpenSSL and LibreSSL have a bug in their SSL/TLS library that most likely also affects UnrealIRCd. An attacker could cause UnrealIRCd to enter a 100% CPU loop. This makes UnrealIRCd unresponsive to any commands. The ircd will appear "frozen" or "stalled".

Details
OpenSSL released a security advisory for CVE-2022-0778 on 2022-03-15. LibreSSL is similarly affected. Any client capable of initiating an SSL/TLS session could cause an SSL/TLS server to hang. In case of IRC it should be noted that this likely also affects passworded (hub) servers as the attacker does not need to authenticate and does not need to send any IRC commands. Again, this issue is not UnrealIRCd-specific, it likely affects any SSL/TLS program that uses OpenSSL or LibreSSL and reads peer certificates such as apache, nginx, exim, etc. According to OpenSSL the issue "only" causes a hang, it does not allow privilege escalation, no remote code execution.

Advice for *NIX users:
On *NIX we recommend admins to upgrade the OpenSSL package and then restart UnrealIRCd. Consult your distro for more information on openssl updates and how to verify installation. There is no new UnrealIRCd release for *NIX as there is no bug in UnrealIRCd itself. The issue is in OpenSSL / LibreSSL.

Although slightly off-topic, it should be pointed out that many Linux distro's backport OpenSSL fixes, and they often do it in such a way that using /VERSION on UnrealIRCd as an IRCOp to see the SSL library is completely useless. It often cannot be used to check if you are patched or not. For example, on Ubuntu 20.04 LTS you will see "OpenSSL 1.1.1f 31 Mar 2020" before you upgraded OpenSSL and you also see the same version "OpenSSL 1.1.1f 31 Mar 2020" after you upgraded to the March 2022 openssl version with the fix. The only way to verify is to check on the command line with dpkg or rpm or by checking .so files to see if the OpenSSL version upgrade went OK or not. And even then you must be sure that the process (unrealircd in our case) has been restarted after the openssl upgrade for it to be effective.

Advice for Windows users:
For Windows we have released two new versions: 5.2.4b and 6.0.2b. This is because for Windows we ship binaries so they include LibreSSL DLL files. Windows users should upgrade to this version and restart UnrealIRCd.
The UnrealIRCd versions on Windows will still identify themselves as "5.2.4" and "6.0.2" everywhere, without any "b" suffix at the end. This is because their UnrealIRCd codebase is 5.2.4 / 6.0.2, there are zero unrealircd source code changes. If you wish to verify that you are indeed running with the fixed SSL library then run /VERSION on IRC as an IRCOp. If you see LibreSSL 3.4.3 then you are good. Any lower LibreSSL version is bad. Again, this is only true for Windows.
Lord255
Posts: 95
Joined: Sat Feb 29, 2020 12:58 am
Location: offline

Re: OpenSSL issue causing 100% CPU and unresponsive server (CVE-2022-0778)

Post by Lord255 »

for ubuntu users:
$ apt-get changelog openssl

should see like

Code: Select all

openssl (1.1.1f-1ubuntu2.12) focal-security; urgency=medium

  * SECURITY UPDATE: Infinite loop in BN_mod_sqrt()
    - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in
      crypto/bn/bn_sqrt.c.
    - debian/patches/CVE-2022-0778-2.patch: add documentation of
      BN_mod_sqrt() in doc/man3/BN_add.pod.
    - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for
      BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt.
    - CVE-2022-0778

 -- Marc Deslauriers <[email protected]>  Wed, 09 Mar 2022 07:12:45 -0500
(example above for 20.04)
rafaelgrether
Posts: 4
Joined: Mon Sep 13, 2021 7:36 pm

Re: OpenSSL issue causing 100% CPU and unresponsive server (CVE-2022-0778)

Post by rafaelgrether »

There is a malicious certificate and a PoC beginning exploited in the wild :(

For FreeBSD users, please run:
$ freebsd-update fetch install
OR update via patch, if you are using a custom kernel:
$ fetch https://security.FreeBSD.org/patches/SA ... nssl.patch
$ cd /usr/src
$ patch < /path/to/openssl.patch
And recompile/build world described here: https://docs.freebsd.org/en/books/handb ... #makeworld

I don't know if there are OpenBSD servers running UnrealIrcd.
If yes, you can apply the patch described here:
OBSD 7.0: https://ftp.openbsd.org/pub/OpenBSD/pat ... .patch.sig
OBSD 6.9: https://ftp.openbsd.org/pub/OpenBSD/pat ... .patch.sig
Older versions are EOL (without Support).

For Linux users, look at the public advisory of your distro and how to update.
Post Reply