The Backend Engineering Show with Hussein Nasser artwork

This dangerous OpenSSL vulnerability can easily be triggered | CVE-2022-2274 Explained

The Backend Engineering Show with Hussein Nasser

English - July 15, 2022 11:23 - 9 minutes - 6.45 MB - ★★★★★ - 5 ratings
Technology Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: NULLs are weird, PG15 makes them less weird
Next Episode: ByteDance makes Linux kernel reboots faster

We discuss the CVE-2022-2274 OpenSSL Vulnerability.


The OpenSSL 3.0.4 release introduced a serious bug in the RSA


implementation for X86_64 CPUs supporting the AVX512IFMA instructions.


This issue makes the RSA implementation with 2048 bit private keys


incorrect on such machines and memory corruption will happen during


the computation. As a consequence of the memory corruption an attacker


may be able to trigger a remote code execution on the machine performing


the computation.


0:00 Intro


1:00 CVE-2022-2274


3:00 AVX512IFMA CISC


5:00 How the bug works


7:10 How can it be triggered


Resources


https://www.openssl.org/news/secadv/20220705.txt


https://github.com/openssl/openssl/issues/18625


https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/


https://eprint.iacr.org/2018/335


https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345


https://linux.die.net/man/3/bn_internal


https://www.microfocus.com/documentation/enterprise-developer/ed60/ES-WIN/GUID-E3960B1E-C42E-4748-A5EB-6E12507C9CD7.html


https://www.microcontrollertips.com/risc-vs-cisc-architectures-one-better/


Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)


https://network.husseinnasser.com