CVE-2022-29242

EUVD-2022-33599
GOST engine is a reference implementation of the Russian GOST crypto algorithms for OpenSSL. TLS clients using GOST engine when ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is agreed and the server uses 512 bit GOST secret keys are vulnerable to buffer overflow. GOST engine version 3.0.1 contains a patch for this issue. Disabling ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is a possible workaround.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
gost_engine_projectgost_engine
𝑥
< 3.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libengine-gost-openssl
bookworm
3.0.1-2
fixed
bullseye
no-dsa
buster
no-dsa
sid
3.0.2-1
fixed
libengine-gost-openssl1.1
bullseye
vulnerable
buster
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libengine-gost-openssl1.1
bionic
needs-triage
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
dne
lunar
dne
mantic
dne
noble
dne
Common Weakness Enumeration
References
https://github.com/gost-engine/engine/commit/7df766124f87768b43b9e8947c5a01e17545772c
https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808
https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81b2fad3
https://github.com/gost-engine/engine/releases/tag/v3.0.1
https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5
https://github.com/gost-engine/engine/commit/7df766124f87768b43b9e8947c5a01e17545772c
https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808
https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81b2fad3
https://github.com/gost-engine/engine/releases/tag/v3.0.1
https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5