CVE-2022-3358 Overview
CVE-2022-3358 is a cryptographic vulnerability in OpenSSL versions 3.0.0 through 3.0.5 that causes legacy custom ciphers to be incorrectly substituted with the NULL cipher when certain conditions are met. This results in plaintext being emitted as ciphertext, completely bypassing encryption protections for affected applications.
The vulnerability exists in the handling of legacy custom ciphers created via the deprecated EVP_CIPHER_meth_new() function. When applications pass NID_undef to this function and subsequently use the custom cipher with encryption/decryption initialization functions such as EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), or EVP_CipherInit_ex2(), OpenSSL incorrectly attempts to fetch an equivalent cipher from available providers rather than using the custom cipher directly. This matching process resolves to the NULL cipher, which performs no encryption whatsoever.
Critical Impact
Applications using legacy custom ciphers with NID_undef may transmit or store sensitive data in plaintext, believing it to be encrypted, leading to complete confidentiality loss.
Affected Products
- OpenSSL 3.0.0 through 3.0.5
- Applications using EVP_CIPHER_meth_new() with NID_undef
- Third-party products embedding affected OpenSSL versions (SonicWall, NetApp)
Discovery Timeline
- 2022-10-11 - CVE CVE-2022-3358 published to NVD
- 2022-10-11 - OpenSSL releases security patch in version 3.0.6
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-3358
Vulnerability Analysis
This vulnerability represents a broken cryptography flaw stemming from improper handling of legacy cipher mechanisms during OpenSSL's transition to the provider-based architecture introduced in version 3.0. The core issue lies in the cipher resolution logic within the encryption initialization functions.
When an application creates a custom cipher using the deprecated EVP_CIPHER_meth_new() API with NID_undef as the cipher identifier, the expectation is that this custom cipher will be used directly for cryptographic operations. However, OpenSSL 3.0.x incorrectly deviates from this behavior by attempting to resolve an equivalent cipher through the provider mechanism.
The resolution process uses the NID (Numeric Identifier) to find a matching cipher. Since NID_undef represents an undefined or generic identifier, the matching algorithm resolves to the NULL cipher—a special cipher that performs identity transformation, passing plaintext through unchanged. If the default provider is loaded, this NULL cipher is successfully fetched, and all subsequent encryption operations produce no actual encryption.
The impact is particularly severe because applications have no indication that encryption is not occurring. The API calls succeed normally, but the output is identical to the input, completely negating any confidentiality protections the application intended to provide.
Root Cause
The root cause is a logic error in OpenSSL 3.0's cipher initialization functions that inappropriately attempts provider-based cipher resolution for legacy custom ciphers. Rather than using the custom cipher object directly as provided by the application, the code path incorrectly enters the provider resolution logic, where NID_undef matches to the NULL cipher. This architectural oversight in the legacy compatibility layer results in silent cipher substitution.
Attack Vector
The vulnerability can be exploited through applications that:
- Use the legacy EVP_CIPHER_meth_new() function with NID_undef to create custom ciphers
- Pass these custom ciphers to encryption/decryption initialization functions
- Have the default provider loaded (common configuration)
When these conditions are met, an attacker capable of intercepting network traffic or accessing stored data can read what was intended to be encrypted information in plaintext. This is a passive attack—no special techniques are required beyond capturing the unencrypted data.
The vulnerability mechanism involves the cipher initialization process. When EVP_EncryptInit_ex2() or similar functions receive a legacy custom cipher created with NID_undef, OpenSSL's provider resolution incorrectly matches this to the NULL cipher. With the default provider loaded, encryption operations silently produce plaintext output instead of ciphertext. Applications using SSL/TLS are not affected as they use different code paths.
Detection Methods for CVE-2022-3358
Indicators of Compromise
- Network traffic containing plaintext data that should be encrypted
- Log entries or captured data revealing sensitive information in cleartext
- Application data at rest that appears unencrypted despite encryption code execution
- Anomalous cipher suite selection showing NULL cipher usage
Detection Strategies
- Audit application source code for usage of EVP_CIPHER_meth_new() with NID_undef parameter
- Monitor network traffic for sensitive data patterns that should be encrypted
- Implement data integrity checks that can detect encryption failures
- Use static analysis tools to identify deprecated OpenSSL API usage patterns
Monitoring Recommendations
- Deploy network monitoring to detect plaintext transmission of sensitive data types
- Enable verbose logging in applications to capture cipher selection decisions
- Monitor for OpenSSL version strings in deployed applications to identify vulnerable instances
- Implement automated vulnerability scanning for OpenSSL library versions across infrastructure
How to Mitigate CVE-2022-3358
Immediate Actions Required
- Upgrade OpenSSL to version 3.0.6 or later immediately
- Review application code for usage of deprecated EVP_CIPHER_meth_new() API
- Replace legacy custom cipher implementations with the new provider mechanism
- If using NID_undef, change to a proper unique NID or migrate to the provider API
Patch Information
OpenSSL has addressed this vulnerability in version 3.0.6. The fix ensures that legacy custom ciphers are used directly rather than being incorrectly resolved through the provider mechanism. Organizations should upgrade to OpenSSL 3.0.6 or later. For detailed patch information, refer to the OpenSSL Security Advisory and the OpenSSL Commit Diff.
Additional vendor-specific advisories are available from SonicWall, NetApp, and Gentoo.
Workarounds
- Avoid using NID_undef when creating custom ciphers with EVP_CIPHER_meth_new()
- Migrate to the new provider mechanism for custom cipher implementations as recommended by OpenSSL
- Unload the default provider if NULL cipher functionality is not required
- Implement application-level encryption validation to detect cipher substitution
# Check OpenSSL version to verify if vulnerable
openssl version
# Vulnerable: OpenSSL 3.0.0 - 3.0.5
# Fixed: OpenSSL 3.0.6+
# Update OpenSSL on Debian/Ubuntu
sudo apt update && sudo apt install openssl
# Update OpenSSL on RHEL/CentOS
sudo yum update openssl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
