VyOS Platform Blog

Building an open source network OS for the people, together.

CVE-2022-0778: remote DoS in OpenSSL, VyOS 1.3.0 is affected

Daniil Baturin
Posted 16 Mar, 2022

Hello Community!

Yesterday the OpenSSL team disclosed a remote DoS vulnerability in OpenSSL versions 1.0.2, 1.1.1, and 3.0. You can find a complete description here in their  CVE-202200778 report. In short, any remote attacker can cause an infinite loop in OpenSSL by attempting to establish a TLS connection with a specially crafted malformed certificate, and cause a denial of service.

The only good thing is that it's merely a DoS vulnerability and not remote code execution. As a DoS bug though it's as dangerous as it can be since anyone with a crafted certificate can attack any TLS-based service if it uses a vulnerable OpenSSL version.

VyOS 1.2.8 has OpenSSL 1.0.1 so it's not affected.

VyOS 1.3.0 has OpenSSL 1.1.1 and thus is affected.

If you are running OpenVPN, OpenConnect, or another TLS-based service on VyOS 1.3.0, you can use this hotfix and install updated packages directly from Debian repositories for now:

wget -P /tmp/ http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.1.1d-0+deb10u8_amd64.deb
wget -P /tmp/ http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.1_1.1.1d-0+deb10u8_amd64.deb
sudo dpkg -i /tmp/openssl_1.1.1d-0+deb10u8_amd64.deb /tmp/libssl1.1_1.1.1d-0+deb10u8_amd64.deb

We are already working on the 1.3.1 release, and we expect it to be ready by Monday. We were actually already working on a new release and accumulated a whole bunch of bug fixes, but this vulnerability forced us to make a release sooner than we planned.

Stay tuned for updates!

The post categories:

Comments