This dangerous OpenSSL vulnerability can easily be triggered | CVE-2022-2274 Explained - podcast episode cover

This dangerous OpenSSL vulnerability can easily be triggered | CVE-2022-2274 Explained

The Backend Engineering Show with Hussein Nasser
Jul 15, 20229 min
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

We discuss the CVE-2022-2274 OpenSSL Vulnerability.

The OpenSSL 3.0.4 release introduced a serious bug in the RSA

implementation for X86_64 CPUs supporting the AVX512IFMA instructions.

This issue makes the RSA implementation with 2048 bit private keys

incorrect on such machines and memory corruption will happen during

the computation. As a consequence of the memory corruption an attacker

may be able to trigger a remote code execution on the machine performing

the computation.

0:00 Intro

1:00 CVE-2022-2274

3:00 AVX512IFMA CISC

5:00 How the bug works

7:10 How can it be triggered

Resources

https://www.openssl.org/news/secadv/20220705.txt

https://github.com/openssl/openssl/issues/18625

https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

https://eprint.iacr.org/2018/335

https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345

https://linux.die.net/man/3/bn_internal

https://www.microfocus.com/documentation/enterprise-developer/ed60/ES-WIN/GUID-E3960B1E-C42E-4748-A5EB-6E12507C9CD7.html

https://www.microcontrollertips.com/risc-vs-cisc-architectures-one-better/

Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)

https://network.husseinnasser.com

For the best experience, listen in Metacast app for iOS or Android