> From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of > Steven_M.irc via openssl-users > Sent: Wednesday, 2 November, 2022 17:18 > > I'm really worried about the vulnerabilities recently found in OpenSSL > versions 3.0.0 - 3.0.6. Why? What's your threat model? > If I understand things correctly (and please do > correct me if I'm wrong), it doesn't matter which version of OpenSSL clients > are running, only which version of OpenSSL *servers* are running. Thus it > seems like end-users can do very little to protect themselves. Protect themselves from what? Take the most recent issues, CVE-2022-3786 and -3602. 3786 is a potential 4-byte buffer overflow when parsing an email address component of a distinguished name in a certificate. (Note, contrary to what you wrote above, this could affect both servers and clients, since it would be triggered by parsing a malformed certificate.) This is probably not exploitable, per the OpenSSL blog post and analyses performed elsewhere, but let's imagine the worst case: OpenSSL 3.0.6 running on some platform where it's possible to leverage this BOF into an RCE. If that's a server system, then: 1) If the server doesn't request client certificates, it should reject a Certificate message from the client, and not try to parse any, so there's no exposure. 2) We'll assume *you* aren't going to send a malicious certificate, so for your connection the vulnerability is irrelevant. 3) So the only case we care about is where some other actor sends a malicious certificate and chains the RCE with other attacks to pivot and escalate and subvert the server. We're on a pretty narrow branch of the attack tree here, and more importantly, the same could be true of a vast array of potential vulnerabilities in the server site. This is only an issue if an attacker can't find any other more useful vulnerability in the site. If you pay attention to IT security, you know *that* isn't likely. If it's a client system, then you only care if it's *your* client, and you visit a malicious site. If you're in the habit of using OpenSSL 3.0.6 to connect to malicious servers, well, 3786 is not likely to be high on your list of problems. 3602 is even less likely to be exploitable. Vulnerabilities are only meaningful in the context of a threat model. I don't see a plausible threat model where these should matter to a client-side end user. -- Michael Wojcik