English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.104354
Category:General
Title:OpenSSL: Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) - Windows
Summary:OpenSSL is prone to an information disclosure vulnerability.
Description:Summary:
OpenSSL is prone to an information disclosure vulnerability.

Vulnerability Insight:
OpenSSL supports creating a custom cipher via the legacy
EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in
OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in
order to implement custom ciphers.

OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the
EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other
similarly named encryption and decryption initialisation functions). Instead of using the custom
cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers.
An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is
supposed to represent the unique NID for a given cipher. However it is possible for an application
to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef
is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL
cipher as being equivalent and will fetch this from the available providers. This will succeed if
the default provider has been loaded (or if a third party provider has been loaded that offers
this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext.

Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef
and subsequently use it in a call to an encryption/decryption initialisation function.
Applications that only use SSL/TLS are not impacted by this issue.

Affected Software/OS:
OpenSSL versions 3.0.0 through 3.0.5.

Solution:
Update to version 3.0.6 or later.

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2022-3358
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b
https://www.openssl.org/news/secadv/20221011.txt
https://security.gentoo.org/glsa/202402-08
CopyrightCopyright (C) 2022 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.