ISC StormCast for Wednesday, November 2nd, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 2 November 2022
⏱️ 8 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, November 2, 2020 edition of the Sansonet Stormer's |
| 0:07.7 | Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:15.5 | Well, of course, the bulk of today's podcast will be dedicated to the patch released for OpenSSL, even though it turned |
| 0:24.6 | out to be not quite as bad as people, including myself, anticipated when it was pre-announced. |
| 0:32.4 | It was pre-announced as a critical vulnerability, but then what was actually released was only rated as high. |
| 0:41.3 | The reason behind this is that yes, potentially this vulnerability could be used for remote code execution, |
| 0:48.3 | which of course typically rates it critical, but it does require some fairly specific preconditions and also is unlikely to be |
| 0:57.9 | exploitable on most common platforms. I will link in the show notes to a blog post by OpenSL |
| 1:05.9 | that has a couple more details about the downgrading from critical to high. So let's talk a little bit about |
| 1:13.7 | this vulnerability. It does affect certificates that contain domain names that are using |
| 1:22.9 | international characters. In domain names, international characters are typically encoded as puny code, |
| 1:30.3 | and that's the representation of domain names that you find in certificates, which could happen |
| 1:37.6 | as like a subject alternate name, where you typically find host names, sort of in server |
| 1:42.8 | certificates, but it could also occur in |
| 1:45.9 | email addresses. Now, there are actually two CVEs, so two distinct vulnerabilities, CVE2 |
| 1:52.4 | CVE 2020-3602 and CVE 2022-3786, but the vulnerabilities are very closely related. They're both related to this |
| 2:04.5 | puny code issue. In so far, I'll treat more or less here as a one vulnerability. The first |
| 2:12.5 | one being the one that was originally rated as critical, it does allow a 4-byte buffer overflow if an |
| 2:21.1 | invalid puny code string is being parsed, but this only happens if the certificate first passes |
| 2:28.6 | the certificate validation, so it has to be signed with a trusted certificate authority. |
| 2:35.9 | Now, typically, certificates are really only validated by clients. |
| 2:40.2 | If a client connects to a server, the certificate is sent from the server to the client, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.