We discuss the CVE-2022-2274 OpenSSL Vulnerability.

The OpenSSL 3.0.4 release introduced a serious bug in the RSA

implementation for X86_64 CPUs supporting the AVX512IFMA instructions.

This issue makes the RSA implementation with 2048 bit private keys

incorrect on such machines and memory corruption will happen during

the computation. As a consequence of the memory corruption an attacker

may be able to trigger a remote code execution on the machine performing

the computation.

0:00 Intro

1:00 CVE-2022-2274

3:00 AVX512IFMA CISC

5:00 How the bug works

7:10 How can it be triggered

Resources

https://www.openssl.org/news/secadv/20220705.txt

https://github.com/openssl/openssl/issues/18625

https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

https://eprint.iacr.org/2018/335

https://github.com/openssl/openssl/commit/4d8a88c134df634ba610ff8db1eb8478ac5fd345

https://linux.die.net/man/3/bn_internal

https://www.microfocus.com/documentation/enterprise-developer/ed60/ES-WIN/GUID-E3960B1E-C42E-4748-A5EB-6E12507C9CD7.html

https://www.microcontrollertips.com/risc-vs-cisc-architectures-one-better/

Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)

https://network.husseinnasser.com