CVE-2022-43705: 
NixOS vulnerability analysis and mitigation

CVE-2022-43705 affects Botan versions before 2.19.3, where it is possible to forge OCSP (Online Certificate Status Protocol) responses due to a certificate verification error. This vulnerability was introduced in Botan 1.11.34 (November 2016) and was disclosed in November 2022. Botan is a cryptographic library implementation, and this vulnerability specifically impacts its certificate validation functionality (NVD, GitHub Advisory).

The vulnerability stems from a failure to verify that an authorized responder certificate embedded in an OCSP response is authorized by the issuing CA. When validating OCSP responses, the system should verify that responder certificates are authorized by the CA, but versions 2.19.2 and older failed to perform this verification. This allowed any valid signature by an embedded certificate to pass the check and make claims about the revocation status of certificates of any CA. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

Attackers in a position to spoof OCSP responses could exploit this vulnerability to render legitimate certificates of a third-party CA as revoked or use a compromised (and actually revoked) certificate by spoofing an OCSP-'OK' response. For example, an attacker could impersonate a legitimate TLS server using a compromised certificate and bypass the revocation check using OCSP stapling (GitHub Advisory).

The issue has been patched in Botan version 2.19.3, with a comprehensive fix planned for version 3.0.0. As a workaround, users can manually verify that OCSP responses were signed by the legitimate CA certificate that issued the certificate in question, effectively forbidding authorized certificates altogether. Users who do not rely on OCSP for certificate revocation checks are not affected, and temporarily switching to CRLs for revocation checks might be a viable alternative (GitHub Advisory).