Moxa Moxa’s Response Regarding the OpenSSL X.509 Email Address 4-byte Buffer Overflow Vulnerability (CVE-2022-3602)

Act Nowmoxa-response-regarding-the-openssl-x-509-email-address-4-byte-buffer-overflow-vNov 4, 2022

Moxa

Summary

OpenSSL CVE-2022-3602 is a buffer overflow in X.509 certificate verification that affects name constraint checking. A malicious email address in a certificate can overflow four bytes on the stack, potentially causing denial of service or remote code execution. Exploitation requires either a CA-signed malicious certificate or an application configured to ignore CA verification failures. Moxa has completed a vulnerability assessment and determined that none of their products are impacted by this vulnerability.

What this means

What could happen

Moxa has determined that none of their products are affected by this OpenSSL X.509 vulnerability. No operational impact is expected for deployed Moxa equipment.

Who's at risk

This advisory applies to industrial equipment manufacturers and integrators using Moxa networking products. However, Moxa has confirmed that their product line is not vulnerable, so this does not present a direct threat to Moxa-based deployments. Organizations using non-Moxa equipment with embedded OpenSSL should verify their vendors' vulnerability responses.

How it could be exploited

This vulnerability affects OpenSSL's X.509 certificate verification logic, which processes certificates during TLS handshakes. An attacker would need to present a maliciously crafted certificate with an oversized email address in the Subject Alternative Name field to trigger the buffer overflow during name constraint checking. Exploitation requires either a compromised or malicious CA to sign the certificate, or for the application to continue processing a certificate chain that failed standard verification.

Prerequisites

A malicious X.509 certificate signed by a trusted CA, or an application configured to ignore CA verification failures
Network access to TLS/SSL services on the target device
The target application must perform X.509 name constraint checking

High EPSS score (83.2%)OpenSSL library-level vulnerabilityPotential for remote code execution in vulnerable implementations

Exploitability

Likely to be exploited — EPSS score 83.5%

Public Proof-of-Concept (PoC) on GitHub (8 repositories)

Affected products (1)

ProductAffected VersionsFix Status

Moxa’s Response Regarding the OpenSSL X.509 Email Address 4-byte Buffer Overflow Vulnerability (CVE-2022-3602)All versionsNo fix yet

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGVerify your current Moxa product versions against Moxa's published advisory confirming no impact

Long-term hardening

0/1

HARDENINGMonitor for any updates to Moxa's vendor statement if additional products are identified as affected

CVEs (1)

CVE-2022-3602

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae9a2a6c-9f96-43d1-9b54-397630dd15d2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.