CVE-2022-0778: remote DoS in OpenSSL, VyOS 1.3.0 is affected
Yesterday the OpenSSL team disclosed a remote DoS vulnerability in OpenSSL versions 1.0.2, 1.1.1, and 3.0. You can find a complete description here in their CVE-202200778 report. In short, any remote attacker can cause an infinite loop in OpenSSL by attempting to establish a TLS connection with a specially crafted malformed certificate, and cause a denial of service.
The only good thing is that it's merely a DoS vulnerability and not remote code execution. As a DoS bug though it's as dangerous as it can be since anyone with a crafted certificate can attack any TLS-based service if it uses a vulnerable OpenSSL version.
VyOS 1.2.8 has OpenSSL 1.0.1 so it's not affected.
VyOS 1.3.0 has OpenSSL 1.1.1 and thus is affected.
If you are running OpenVPN, OpenConnect, or another TLS-based service on VyOS 1.3.0, you can use this hotfix and install updated packages directly from Debian repositories for now:
wget -P /tmp/ http://security.debian.org/debian-security/pool/updates/main/o/openssl/openssl_1.1.1d-0+deb10u8_amd64.deb wget -P /tmp/ http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.1_1.1.1d-0+deb10u8_amd64.deb sudo dpkg -i /tmp/openssl_1.1.1d-0+deb10u8_amd64.deb /tmp/libssl1.1_1.1.1d-0+deb10u8_amd64.deb
We are already working on the 1.3.1 release, and we expect it to be ready by Monday. We were actually already working on a new release and accumulated a whole bunch of bug fixes, but this vulnerability forced us to make a release sooner than we planned.
Stay tuned for updates!