01 · The Real Story
This is a land mine hidden in the certificate parser, not a skeleton key for the whole network
This finding is CVE-2022-0778 in OpenSSL's BN_mod_sqrt() routine. On affected builds, a crafted X.509 certificate or private key with malformed explicit elliptic-curve parameters can push the parser into an infinite loop, hanging the process and causing denial of service only. For the plugin you cited, the directly affected upstream range is OpenSSL 1.1.1 through 1.1.1m, fixed in 1.1.1n on 2022-03-15; OpenSSL 3.0.0-3.0.1 and 1.0.2-1.0.2zc were also affected upstream.
The raw CVSS 7.5/HIGH is technically defensible because the crash path can be network-reachable and does not require prior auth, but it overstates fleet-wide urgency for a generic enterprise estate. In practice, exploitation requires a target that actually parses attacker-supplied certificates or keys: a TLS client talking to a malicious server, a TLS server doing client-certificate auth, a CA/PKI workflow, or a product ingesting customer certs/keys. That prerequisite sharply narrows exposed population, and the impact is a hang of the consuming process, not code execution or data theft. This is why the plugin's VPR Medium 5.8 feels closer to reality than the base CVSS.
"Real bug, real PoC, but most enterprises need a very specific cert-parsing path before this becomes reachable"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a cert-parsing surface
The attacker first needs a workflow that will feed untrusted X.509 material into vulnerable OpenSSL code. In the real world that usually means one of four paths: a client connecting outbound to a malicious TLS server, a server requesting client certificates, a certificate upload/CSR intake feature, or a product that imports customer-supplied keys. The weaponized input is a crafted certificate/private key based on public research and PoC material from Tavis Ormandy and later public PoCs.
Conditions required:
- Target uses vulnerable OpenSSL linked into the live service or client
- Target accepts or fetches attacker-controlled certificate material
- The vulnerable parsing path is actually exercised
Where this breaks in practice:
- Most Internet-facing TLS servers do not request client certificates
- OpenSSL is a library, so many deployments are affected only in specific app paths, not every TLS handshake
- Outbound client path often requires user activity, service discovery abuse, or MITM-style positioning
Detection/coverage: Asset scanners usually detect this by package version only. Tenable plugin
158974 explicitly says it did not test exploitation and relied on self-reported versioning.STEP 02
Deliver the malformed certificate
Using a PoC such as the Packet Storm publication for CVE-2022-0778, the attacker serves or submits a certificate containing invalid explicit EC parameters that will reach
BN_mod_sqrt(). Delivery can happen over TLS handshake, certificate upload, CSR submission, or private-key import depending on the product.Conditions required:
- Attacker can stand up a malicious TLS endpoint or submit certificate material to the target
- Target does not pre-filter or reject the object before OpenSSL parsing
Where this breaks in practice:
- Many enterprise proxies, PKI workflows, and app-layer validators reject malformed objects before they hit the vulnerable path
- Some scenarios require a very particular business workflow, not generic Internet spray
Detection/coverage: Network IDS/IPS coverage exists in some stacks; for example, Palo Alto published Threat IDs
92409 and 92411 for known attack patterns. Generic vulnerability scanners will not confirm reachability of this step.STEP 03
Trigger the infinite loop in BN_mod_sqrt()
Once the malformed object is parsed, the vulnerable OpenSSL routine can loop forever on non-prime moduli. This happens before certificate verification completes, so a trusted cert is not required. The process consuming the certificate stalls and may peg CPU or hang a worker/thread.
Conditions required:
- Affected OpenSSL code path is invoked during parse/verification
- Service does not isolate parsing in a short-lived worker with timeouts
Where this breaks in practice:
- Single-process or worker-level hangs are easier to absorb when services pool workers or restart on health failure
- Modern orchestrators and watchdogs may recycle the stuck process before broad service outage
Detection/coverage: Good telemetry is process-level: CPU pinning, watchdog restarts, crash-loop alerts, certificate parse errors, and sudden worker starvation. EDR can see the hang, but it usually won't label it as CVE-2022-0778 specifically.
STEP 04
Convert a parser hang into business impact
The attacker only gets availability impact. If the vulnerable component is single-threaded, under-provisioned, or embedded in a security boundary device, repeated triggers can degrade or deny the service. On ordinary servers with supervision and load balancing, the blast radius is usually one process or one node at a time rather than a full-estate compromise.
Conditions required:
- Targeted service is mission-critical or resource-constrained
- Repeated requests can be sent faster than the platform recovers
Where this breaks in practice:
- No confidentiality or integrity impact
- No persistence, privilege gain, or lateral movement from the flaw itself
- HA pairs, worker recycling, and rate controls substantially blunt impact
Detection/coverage: Availability monitoring is the main signal: health checks failing, worker exhaustion, CPU spikes, and connection failures. This is better detected by observability than by perimeter blocking alone.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | I found no authoritative evidence of active exploitation in the retrieved source set. Palo Alto stated it was not aware of malicious exploitation on its products, and this CVE does not appear in CISA KEV. |
|---|---|
| Proof-of-concept availability | Yes. Public exploit material exists, including the Packet Storm posting authored by Tavis Ormandy / Google Security Research and public GitHub PoCs such as jkakavas/CVE-2022-0778-POC referenced by Snyk/dbugs. |
| EPSS | 0.07519 (~7.5%) from Tenable's CVE page, sourced from FIRST EPSS. That is elevated for a DoS bug, but still far below the tier that normally justifies emergency fleet action by itself. |
| KEV status | Not KEV-listed in the retrieved CISA catalog results; no CISA due date found for this CVE. |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H = network, unauthenticated, availability-only. The scoring assumes a reachable network parser, which is the part that is often not true across a generic enterprise fleet. |
| Affected versions | Upstream affected ranges include OpenSSL 1.1.1-1.1.1m, 3.0.0-3.0.1, and 1.0.2-1.0.2zc. The Tenable plugin specifically fires on installed OpenSSL prior to 1.1.1n. |
| Fixed versions | Upstream fixes landed in 1.1.1n, 3.0.2, and 1.0.2zd. Distro backports matter: Debian fixed this as 1.1.1d-0+deb10u8 for buster and 1.1.1k-1+deb11u2 for bullseye, even though those strings are numerically below 1.1.1n. |
| Scanner / detection coverage | Tenable plugin 158974 is version-based only and says Nessus did not test for the issue. Expect false-positive-looking conversations on backported distro packages unless you validate package release metadata. |
| Exposure / internet census reality | There is no clean Internet census for 'vulnerable OpenSSL' as a library. Shodan/Censys-style exposure only works when dependent products banner versions or can be fingerprinted; the exploitable population is therefore much smaller than raw package prevalence suggests. *This is an inference from the library deployment model plus version-based scanner behavior.* |
| Disclosure / researcher | Disclosed 2022-03-15. Reported to OpenSSL on 2022-02-24 by Tavis Ormandy (Google); fix developed by David Benjamin (Google) and Tomáš Mráz (OpenSSL). |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to MEDIUM (5.9/10)
The decisive downward pressure is reachability: this bug is dangerous only where an attacker can make your stack parse their certificate or key, and that is a much narrower population than 'everything linked against OpenSSL.' Public PoC and easy triggering keep it relevant, but the impact remains availability-only with no code execution, no credential theft, and usually limited node-level blast radius.
HIGH Root-cause and affected-version mapping
HIGH Availability-only impact assessment
MEDIUM Fleet-wide exposure reduction from real-world parser reachability
Why this verdict
- Downgrade from CVSS HIGH: the base 7.5 assumes a vulnerable parser is directly reachable over the network; in enterprise reality, many hosts merely *ship* OpenSSL without exposing an attacker-controlled certificate parse path.
- Posture friction: the most common Internet-facing server case only works if the server consumes attacker-supplied certs, typically mTLS/client-auth or a certificate upload workflow. That exposure population is far smaller than generic HTTPS.
- Client-side path implies a prior foothold or user flow: attacking TLS clients usually requires luring clients to a malicious server, service-discovery abuse, or MITM-style positioning, which compounds downward pressure.
- Impact is availability only: this hangs a process or worker; it does not hand over execution, privileges, secrets, or persistence.
- But not low/ignore: public PoC exists, trigger reliability is good once the parser path is hit, and the library is ubiquitous enough that PKI-heavy environments, appliances, proxies, and security tools can still suffer meaningful outages.
Why not higher?
This is not a broad unauthenticated Internet-to-RCE situation. The exploit chain collapses entirely if the target never parses attacker-controlled certificates or keys, and even successful exploitation produces only a hang/DoS, often bounded to one process, one worker pool, or one device node behind supervision or HA.
Why not lower?
The bug is real, the trigger condition is well understood, and public PoC exists. In environments that do parse untrusted certificate material—reverse proxies with mTLS, VPN clients, PKI tooling, CA workflows, cert-management portals, security appliances—the attack is easy enough to matter and can create immediate service disruption.
05 · Compensating Control
What to do — in priority order.
- Map cert-parsing exposure — Within the no mitigation SLA — go straight to the 365-day remediation window for a MEDIUM, identify where OpenSSL is used in mTLS, certificate upload/import, CSR processing, VPN clients, PKI, mail gateways, and reverse proxies. This is the single best way to separate noisy package hits from actually reachable risk.
- Turn on parser-path IPS where available — If your stack supports it, enable signatures that detect malformed certificate attacks; for example, Palo Alto documents Threat IDs
92409and92411. Do this on exposed ingress points to reduce opportunistic exploitation while you validate patch coverage; for a MEDIUM there is no mitigation SLA, so use this selectively where exposure is proven. - Constrain client-certificate auth — Review Internet-facing services that request client certificates and disable unnecessary mTLS prompts or narrow them to trusted networks. This shrinks the unauthenticated attack surface immediately and is worth doing during the normal remediation window.
- Harden process supervision — Ensure watchdog restarts, health probes, worker recycling, and sane per-connection timeouts are in place for services that parse certificates. This does not fix the bug, but it reduces outage duration and blast radius if a parser thread hangs before patching within the MEDIUM remediation window.
- Validate distro backports before retagging — Before escalating tickets, compare package release metadata against vendor advisories on Debian/RHEL/SUSE-style systems. Many hosts will appear numerically below
1.1.1nyet already contain the fix; clean this up early so the team spends time on reachable exposure, not version-string archaeology.
What doesn't work
- Simply blocking 'bad certificates' at the application layer is unreliable, because the vulnerable parse happens before full certificate verification.
- EDR alone does not prevent the exploit path; it may show the hung process after the fact, but it rarely stops certificate parsing in the library.
- A generic WAF is not a dependable fix unless the vulnerable certificate flow actually traverses the WAF and the product understands the protocol carrying the certificate object.
- Version-string comparison without distro context does not work well on backported Linux packages and will overstate exposure.
06 · Verification
Crowdsourced verification payload.
Run this on the target Linux/macOS/Unix host that triggered the plugin, not on your scanner. Invoke it as sudo bash check-openssl-cve-2022-0778.sh or bash check-openssl-cve-2022-0778.sh; root is recommended so the script can query package managers cleanly, but it will still attempt a best-effort check unprivileged. It prints VULNERABLE, PATCHED, or UNKNOWN and exits 0, 1, or 2 respectively.
#!/usr/bin/env bash
# check-openssl-cve-2022-0778.sh
# Determine likely exposure to CVE-2022-0778 on the local host.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN
set -u
have() { command -v "$1" >/dev/null 2>&1; }
result_unknown() {
echo "UNKNOWN: $1"
exit 2
}
result_vuln() {
echo "VULNERABLE: $1"
exit 0
}
result_patched() {
echo "PATCHED: $1"
exit 1
}
version_ge() {
# returns 0 if $1 >= $2
if have dpkg; then
dpkg --compare-versions "$1" ge "$2"
return $?
fi
local first
first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
[ "$first" = "$2" ]
}
OPENSSL_BIN=""
if have openssl; then
OPENSSL_BIN=$(command -v openssl)
fi
if [ -n "$OPENSSL_BIN" ]; then
OPENSSL_FULL=$($OPENSSL_BIN version 2>/dev/null || true)
OPENSSL_VER=$($OPENSSL_BIN version 2>/dev/null | awk '{print $2}')
else
OPENSSL_FULL=""
OPENSSL_VER=""
fi
# Debian / Ubuntu backport-aware checks
if have dpkg-query; then
PKG_VER=$(dpkg-query -W -f='${Version}' openssl 2>/dev/null || true)
if [ -n "$PKG_VER" ]; then
. /etc/os-release 2>/dev/null || true
DISTRO_ID=${ID:-unknown}
DISTRO_VER=${VERSION_ID:-unknown}
case "$DISTRO_ID:$DISTRO_VER" in
debian:10)
if dpkg --compare-versions "$PKG_VER" ge '1.1.1d-0+deb10u8'; then
result_patched "Debian 10 openssl package version $PKG_VER includes the CVE-2022-0778 fix (DSA-5103)."
else
result_vuln "Debian 10 openssl package version $PKG_VER is below fixed version 1.1.1d-0+deb10u8."
fi
;;
debian:11)
if dpkg --compare-versions "$PKG_VER" ge '1.1.1k-1+deb11u2'; then
result_patched "Debian 11 openssl package version $PKG_VER includes the CVE-2022-0778 fix (DSA-5103)."
else
result_vuln "Debian 11 openssl package version $PKG_VER is below fixed version 1.1.1k-1+deb11u2."
fi
;;
ubuntu:*)
# Ubuntu commonly backports fixes; package version is authoritative.
# If ubuntu-security-status tooling is absent, keep this conservative.
if printf '%s' "$PKG_VER" | grep -qi 'ubuntu'; then
echo "UNKNOWN: Ubuntu openssl package version $PKG_VER detected. Ubuntu often backports fixes; confirm against the Ubuntu CVE tracker for CVE-2022-0778."
exit 2
fi
;;
esac
fi
fi
# RPM-based best-effort check
if have rpm; then
RPM_VER=$(rpm -q --qf '%{VERSION}-%{RELEASE}' openssl 2>/dev/null || true)
if [ -n "$RPM_VER" ] && [ "$RPM_VER" != "package openssl is not installed" ]; then
if printf '%s' "$RPM_VER" | grep -Eq 'el7|el8|el9|amzn|sles|opensuse'; then
echo "UNKNOWN: RPM package openssl-$RPM_VER detected. Enterprise RPM distros often backport this fix; verify with the vendor advisory for your distro build."
exit 2
fi
fi
fi
# Upstream version-string check for non-backported installs and source builds
if [ -z "$OPENSSL_VER" ]; then
result_unknown "openssl binary not found and no authoritative package result available."
fi
case "$OPENSSL_VER" in
1.1.1*)
# Vulnerable upstream: 1.1.1 through 1.1.1m; fixed: 1.1.1n+
if version_ge "$OPENSSL_VER" '1.1.1n'; then
result_patched "OpenSSL runtime version is $OPENSSL_FULL, which is >= 1.1.1n."
else
result_vuln "OpenSSL runtime version is $OPENSSL_FULL, which is < 1.1.1n."
fi
;;
3.0.*)
if version_ge "$OPENSSL_VER" '3.0.2'; then
result_patched "OpenSSL runtime version is $OPENSSL_FULL, which is >= 3.0.2."
else
result_vuln "OpenSSL runtime version is $OPENSSL_FULL, which is < 3.0.2."
fi
;;
1.0.2*)
# Publicly fixed only for premium support customers as 1.0.2zd.
if version_ge "$OPENSSL_VER" '1.0.2zd'; then
result_patched "OpenSSL runtime version is $OPENSSL_FULL, which is >= 1.0.2zd."
else
result_vuln "OpenSSL runtime version is $OPENSSL_FULL, which is in the affected 1.0.2 line below 1.0.2zd."
fi
;;
*)
result_unknown "OpenSSL runtime version is $OPENSSL_FULL. This script only makes an authoritative decision for affected upstream branches 1.0.2, 1.1.1, and 3.0.x or known distro backports."
;;
esac
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not treat this like Internet-wide fire drill patching unless you confirm a real cert-parsing exposure path. First, use the plugin output to build a smaller queue of hosts that actually terminate TLS with client cert auth, import customer certs/keys, run PKI/CA workflows, or make sensitive outbound TLS connections; validate Linux backports so you do not chase false positives. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window for ordinary hosts; for truly exposed cert-ingestion systems, put lightweight parser-path mitigations and monitoring in place now and finish patching to vendor-fixed builds well inside the noisgate remediation SLA of ≤ 365 days.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.