Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6
- Detects when the HTTP Server header indicates that the version of OpenSSL is vulnerable to CVE-2022-3602 (ie. v3.0.0 to v3.0.6 inclusive).
- Detects exploitation attempts in TLS v1.2.
References:
This package generates the following notices:
CVE20223602::CVE_2022_3602_Exploit_AttemptCVE20223602::CVE_2022_3602_Vulnerable_Server
The notice also contains the artefact that triggered the notice within thesubfield , which can assist with IR triage.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-11-04-11-13-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1667182702.131152 CKgObk3hwP00kyaoVd 127.0.0.1 53240 127.0.0.1 80 - - - tcp CVE20223602::CVE_2022_3602_Vulnerable_Server Potential OpenSSL CVE_2022_3602 Vulnerable server version (v3.0.0-3.0.6) SERVER value in HTTP header = 'Apache/2.4.54 (Fedora Linux) OpenSSL/3.0.5' 127.0.0.1 127.0.0.1 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1667383240.417527 CYgEWD2cUZDWalTz9h 192.168.56.2 50478 192.168.56.3 3000 - - - tcp CVE20223602::CVE_2022_3602_Exploit_Attempt Potential OpenSSL CVE_2022_3602 exploit attempt (punycode) ext$value = 'Permitted:\x0a email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba\x0a' 192.168.56.2 192.168.56.3 3000 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1667390605.051174 CTKv5h4LdOlflhiM66 192.168.56.2 46590 192.168.56.3 3000 - - - tcp CVE20223602::CVE_2022_3602_Exploit_Attempt Potential OpenSSL CVE_2022_3602 exploit attempt (punycode) ext$value = 'Permitted:\x0a email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba@example.com\x0a' 192.168.56.2 192.168.56.3 3000 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
1667393702.130181 CycBH72ljVsUydqGn5 192.168.56.2 46594 192.168.56.3 3000 - - - tcp CVE20223602::CVE_2022_3602_Exploit_Attempt Potential OpenSSL CVE_2022_3602 exploit attempt (punycode) ext$value = 'Permitted:\x0a email:xn--srt@fx-it-u1g.com\x0a' 192.168.56.2 192.168.56.3 3000 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-11-04-11-13-50
This package can be installed with zkg using the following commands:
$ zkg refresh
$ zkg install cve-2022-3602
Corelight customers can install it by updating the CVE bundle.