CVE Vulnerability

CVE-2022-29242

GOST engine is a reference implementation of the Russian GOST crypto algorithms for OpenSSL. TLS clients using GOST engine when ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is agreed and the server uses 512 bit GOST secret keys are vulnerable to buffer overflow. GOST engine version 3.0.1 contains a patch for this issue. Disabling ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is a possible workaround.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808 Patch Third Party Advisory
https://github.com/gost-engine/engine/releases/tag/v3.0.1 Release Notes Third Party Advisory
https://github.com/gost-engine/engine/commit/7df766124f87768b43b9e8947c5a01e17545772c Patch Third Party Advisory
https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81b2fad3 Patch Third Party Advisory
https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:gost_engine_project:gost_engine:*:*:*:*:*:*:*:*
Information

Published : 2022-05-24 03:15

Updated : 2022-06-07 04:54

NVD link : CVE-2022-29242

Mitre link : CVE-2022-29242

Products Affected
No products.
CWE
CWE-120