Share
## https://sploitus.com/exploit?id=918FA251-B6E2-58C6-A20A-B0E3B8BAF7BD
# Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6
- Detects when the HTTP Server header indicates that the version of OpenSSL is vulnerable to CVE-2022-3602 (ie. v3.0.0 to v3.0.6 inclusive).
- Detects exploitation attempts in TLS v1.2.
References:
- https://www.openssl.org/news/secadv/20221101.txt
- https://github.com/fox-it/spookyssl-pcaps
This package generates the following notices:
* `CVE20223602::CVE_2022_3602_Exploit_Attempt`
* `CVE20223602::CVE_2022_3602_Vulnerable_Server`
The notice also contains the artefact that triggered the notice within the `sub` field , which can assist with IR triage.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-11-04-11-13-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1667182702.131152 CKgObk3hwP00kyaoVd 127.0.0.1 53240 127.0.0.1 80 - - - tcp CVE20223602::CVE_2022_3602_Vulnerable_Server Potential OpenSSL CVE_2022_3602 Vulnerable server version (v3.0.0-3.0.6) SERVER value in HTTP header = 'Apache/2.4.54 (Fedora Linux) OpenSSL/3.0.5' 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1667383240.417527 CYgEWD2cUZDWalTz9h 192.168.56.2 50478 192.168.56.3 3000 - - - tcp CVE20223602::CVE_2022_3602_Exploit_Attempt Potential OpenSSL CVE_2022_3602 exploit attempt (punycode) ext$value = 'Permitted:\x0a email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba\x0a' 192.168.56.2 192.168.56.3 3000 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1667390605.051174 CTKv5h4LdOlflhiM66 192.168.56.2 46590 192.168.56.3 3000 - - - tcp CVE20223602::CVE_2022_3602_Exploit_Attempt Potential OpenSSL CVE_2022_3602 exploit attempt (punycode) ext$value = 'Permitted:\x0a email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba@example.com\x0a' 192.168.56.2 192.168.56.3 3000 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1667393702.130181 CycBH72ljVsUydqGn5 192.168.56.2 46594 192.168.56.3 3000 - - - tcp CVE20223602::CVE_2022_3602_Exploit_Attempt Potential OpenSSL CVE_2022_3602 exploit attempt (punycode) ext$value = 'Permitted:\x0a email:xn--srt@fx-it-u1g.com\x0a' 192.168.56.2 192.168.56.3 3000 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-11-04-11-13-50
```
This package can be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-3602
```
Corelight customers can install it by updating the CVE bundle.