PT-2022-2676 · Openssl+1 · Gost Engine+1

Beldmit

Published

2022-05-24

Updated

2022-06-07

CVE-2022-29242

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions GOST engine versions prior to 3.0.1

Description The issue is related to a buffer overflow vulnerability in the GOST engine, a reference implementation of the Russian GOST crypto algorithms for OpenSSL. This occurs when the ciphersuite TLS GOSTR341112 256 WITH KUZNYECHIK CTR OMAC is agreed upon and the server uses 512-bit GOST secret keys. The vulnerability can be exploited by a remote attacker to cause a buffer overflow. Disabling the ciphersuite TLS GOSTR341112 256 WITH KUZNYECHIK CTR OMAC is a possible workaround.

Recommendations For GOST engine versions prior to 3.0.1, update to version 3.0.1 to resolve the issue. As a temporary workaround, consider disabling the ciphersuite TLS GOSTR341112 256 WITH KUZNYECHIK CTR OMAC until a patch is applied.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-120

Related Identifiers

BDU:2022-03165

CVE-2022-29242

GHSA-2RMW-8WPG-VGW5

Affected Products

Debian

Gost Engine

PT-2022-2676 · Openssl+1 · Gost Engine+1

CVE-2022-29242

Weakness Enumeration

Related Identifiers

Affected Products

References · 15