06-Dec-2022 05:00 - edited 06-Dec-2022 08:55
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Inbound (CVE-2022-3602)"; \
flow:established,to_client; \
tls.certs; \
content:"|06 03 55 1d 1e|"; \
content:"xn--"; fast_pattern; within:30; byte_test:2,>,513,-6,relative; \
reference:url,www.openssl.org/news/secadv/20221101.txt; \
reference:cve,2022-3602; \
classtype:attempted-admin; \
sid:2039618; rev:1; metadata:attack_target Server, created_at 2022_11_01, cve CVE_2022_3602, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_11_02;)
alert tls $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Outbound (CVE-2022-3602)"; \
flow:established,to_server; \
content:"|06 03 55 1d 1e|"; \
content:"xn--"; fast_pattern; within:30; byte_test:2,>,513,-6,relative; \
reference:url,www.openssl.org/news/secadv/20221101.txt; \
reference:cve,2022-3602; \
classtype:attempted-admin; \
sid:2039619; rev:1; metadata:attack_target Server, created_at 2022_11_02, cve CVE_2022_3602, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_11_02;)
alert tls any any -> any any (msg:"FOX-SRT - Exploit - Possible SpookySSL Certificate Observed (CVE-2022-3602)"; \
flow:established; \
content:"|2b 06 01 05 05 07 08 09|"; fast_pattern; \
content:"|06 03 55 1d 1e|"; content:"xn--"; \
content:!"|81|"; distance:-6; within:1; byte_test:2,>=,500,-6,relative; \
classtype:attempted-user; threshold:type limit,track by_src,count 1,seconds 3600; \
reference:url,www.openssl.org/news/secadv/20221101.txt; \
reference:url,https://github.com/fox-it/spookyssl-pcaps; \
metadata:ids suricata; \
metadata:created_at 2022-11-02; sid:21004268; rev:3;)
user@(host1)(pid-30952)(cfg-sync Standalone)(Active)(/Common)(tmos)# list security protocol-inspection signature openssl-sig-CVE-2022-3602
security protocol-inspection signature openssl-sig-CVE-2022-3602 {
attack-type protocol-other
description SpookySSL
documentation "Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Outbound (CVE-2022-3602)"
id 100001
last-updated 2022-11-04:09:29:48
protocol "tcp"
reference-links https://github.com/fox-it/spookyssl-pcaps
revision 1
service ssl
sig "content: \"|06 03 55 1d 1e|\"; content:\"xn--\"; fast_pattern; within:30; byte_test:2,>,513,-6,relative;"
subscription no
user-defined yes
}
[user@host1:Active:Standalone] config # tmsh
user@(host1)(pid-31262)(cfg-sync Standalone)(Active)(/Common)(tmos)# security protocol-inspection signature
user@(host1)(pid-31262)(cfg-sync Standalone)(Active)(/Common)(tmos.security.protocol-inspection.signature)#
create openssl-sig-CVE-2022-3602 description SpookySSL attack-type protocol-other reference-links https://github.com/fox-it/spookyssl-pcaps service ssl protocol { tcp } sig "content: \"|06 03 55 1d 1e|\"; content:\"xn--\"; fast_pattern; within:30; byte_test:2,>,513,-6,relative; " documentation "Possible SpookySSL Certificate Observed (CVE-2022-3602) (Based on ET Open Ruleset)"
There's a huge gotcha in all this and it comes in the form of TLS 1.3. In TLS 1.3, certificates are no longer sent in the clear - they are sent in encrypted form (Fox-IT call that out in the readme on their github page, too). Of course that means that any signatures, whether deployed in AFM or any other engine, are no longer able to inspect the signature for potentially malicious punycoded strings.
If you are inspecting inbound traffic and you control the servers then you have at least a measure of choice here - disable TLS 1.3 and continue to have visibility into client certificates at the expense of some security, or enable TLS 1.3 and lose that visibility but gain security; of course, you've already upgraded to OpenSSL 3.0.7 so the risk here is minimal.. right?
If you're trying to inspect outbound traffic to servers you do not control (where you wish to inspect the incoming server certificate) then of course you have very little control over what the client and server negotiate. That's probably a topic for another blog!