cve/2022/CVE-2022-4450.md

### [CVE-2022-4450](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450)
![](https://img.shields.io/static/v1?label=Product&message=OpenSSL&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.0.0%3C%203.0.8%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=double-free&color=brighgreen)

### Description

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses anddecodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.If the function succeeds then the "name_out", "header" and "data" arguments arepopulated with pointers to buffers containing the relevant decoded data. Thecaller is responsible for freeing those buffers. It is possible to construct aPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()will return a failure code but will populate the header argument with a pointerto a buffer that has already been freed. If the caller also frees this bufferthen a double free will occur. This will most likely lead to a crash. Thiscould be exploited by an attacker who has the ability to supply malicious PEMfiles for parsing to achieve a denial of service attack.The functions PEM_read_bio() and PEM_read() are simple wrappers aroundPEM_read_bio_ex() and therefore these functions are also directly affected.These functions are also called indirectly by a number of other OpenSSLfunctions including PEM_X509_INFO_read_bio_ex() andSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internaluses of these functions are not vulnerable because the caller does not free theheader argument if PEM_read_bio_ex() returns a failure code. These locationsinclude the PEM_read_bio_TYPE() functions as well as the decoders introduced inOpenSSL 3.0.The OpenSSL asn1parse command line application is also impacted by this issue.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/FairwindsOps/bif
- https://github.com/PajakAlexandre/wik-dps-tp02
- https://github.com/Tuttu7/Yum-command
- https://github.com/a23au/awe-base-images
- https://github.com/bluesentinelsec/landing-zone
- https://github.com/chnzzh/OpenSSL-CVE-lib
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/neo9/fluentd
- https://github.com/nidhi7598/OPENSSL_1.1.1g_G3_CVE-2022-4450
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/peng-hui/CarpetFuzz
- https://github.com/rootameen/vulpine
- https://github.com/stkcat/awe-base-images
- https://github.com/tnishiox/kernelcare-playground
- https://github.com/waugustus/CarpetFuzz
- https://github.com/waugustus/waugustus
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2022-4450](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450)`
			`![](https://img.shields.io/static/v1?label=Product&message=OpenSSL&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=3.0.0%3C%203.0.8%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=double-free&color=brighgreen)`

			`### Description`

			The function PEM_read_bio_ex() reads a PEM file from a BIO and parses anddecodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.If the function succeeds then the "name_out", "header" and "data" arguments arepopulated with pointers to buffers containing the relevant decoded data. Thecaller is responsible for freeing those buffers. It is possible to construct aPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()will return a failure code but will populate the header argument with a pointerto a buffer that has already been freed. If the caller also frees this bufferthen a double free will occur. This will most likely lead to a crash. Thiscould be exploited by an attacker who has the ability to supply malicious PEMfiles for parsing to achieve a denial of service attack.The functions PEM_read_bio() and PEM_read() are simple wrappers aroundPEM_read_bio_ex() and therefore these functions are also directly affected.These functions are also called indirectly by a number of other OpenSSLfunctions including PEM_X509_INFO_read_bio_ex() andSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internaluses of these functions are not vulnerable because the caller does not free theheader argument if PEM_read_bio_ex() returns a failure code. These locationsinclude the PEM_read_bio_TYPE() functions as well as the decoders introduced inOpenSSL 3.0.The OpenSSL asn1parse command line application is also impacted by this issue.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/FairwindsOps/bif`
			`- https://github.com/PajakAlexandre/wik-dps-tp02`
			`- https://github.com/Tuttu7/Yum-command`
			`- https://github.com/a23au/awe-base-images`
			`- https://github.com/bluesentinelsec/landing-zone`
			`- https://github.com/chnzzh/OpenSSL-CVE-lib`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`
			`- https://github.com/neo9/fluentd`
			`- https://github.com/nidhi7598/OPENSSL_1.1.1g_G3_CVE-2022-4450`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
			`- https://github.com/peng-hui/CarpetFuzz`
			`- https://github.com/rootameen/vulpine`
			`- https://github.com/stkcat/awe-base-images`
			`- https://github.com/tnishiox/kernelcare-playground`
			`- https://github.com/waugustus/CarpetFuzz`
			`- https://github.com/waugustus/waugustus`