Do you know where you’re using OpenSSL versions 3.0.0 through 3.0.6 in your environments?
The latest critical vulnerability to hit the news, in a recent flood of zero-days and high-profile vulnerabilities, is OpenSSL versions 3.0.0 through 3.0.6, and like the other scary security flaws, it’s not something organizations can afford to ignore. We’re still referring to it as “critical” here because it is, although in the formal ratings of vulnerabilities, this new OpenSSL flaw has been downgraded from “critical” to “high”.
OpenSSL version 3.0 was released in September 2021 to much fanfare and represented a significant update to the popular SSL/TLS toolkit. It represented “3 years of development work, 17 alpha releases, 2 beta releases, over 7,500 commits and contributions from over 350 different authors”, and got some great coverage in publications including Help Net Security, Dark Reading and SecurityWeek. As well it should; Version 3.0 added some significant new capabilities designed to help developers literally write or orchestrate more secure code.
What is OpenSSL, How Is It Being Used and What is the Vulnerability?
According to the OpenSSL Project, the organization that develops and maintains the software, OpenSSL is “a robust, commercial-grade, full-featured toolkit for general purpose cryptography and secure communication.” This software library came to life in 1998 (learn more on Wikipedia) and has grown to be one of the most widely used cryptography libraries for securing the way applications, operating systems and websites communicate over the internet. ITPro reports that OpenSSL “is used by the majority of HTTPS websites as well as on a range of web servers.”
OpenSSL is available to license for free for both commercial and non-commercial use under what’s called an Apache-style license.
The patch released on November 1, 2022 was going to be only the second critical vulnerability patch in the OpenSSL project’s history; the only other patch for a vulnerability with that rating was issued back in 2016. However, with the release of the fixes for this flaw came news of the downgrade from “critical” to “high” and that there are actually two high-severity vulnerabilities to fix: CVE-2022-3602 and CVE-2022-3786.
According to ZDNet:
“Specifically, you need to worry with [CVE] 3786 about a buffer overrun that can be triggered in X.509 certificate verification. Here, an attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This could cause a system crash or RCEs.
“With [CVE] 3602, your concern is that a stack-based buffer overflow was found in the way OpenSSL processes X.509 certificates with a specially crafted email address field. Again, this could cause a crash or an RCE.”
Early Warnings Were of the Potential for Another Heartbleed
A flaw in OpenSSL version 1.0.1 was responsible for the Heartbleed security bug disclosed in April of 2014 and now cataloged as CVE-2014-0160. Called “catastrophic” by many cybersecurity experts, this vulnerability “affected 17% of all SSL servers” and caused nothing less than a full-blown security crisis.
When this new vulnerability was disclosed last week, it looked like we were going to be faced with another OpenSSL critical vulnerability of the magnitude of Heartbleed—a Heartbleed 2.0. The good news—besides the fact that the vulnerability has been downgraded to “high”—is that this vulnerability affects only version 3.0.0 and above, so anyone using previous versions of OpenSSL (that have been patched) are not impacted.
Next Stop: OpenSSL 3.0.7
OpenSSL 3.0 is used in Ubuntu 22.04 and MacOS Mavericks and Ventura. Exposure to Windows OS hasn’t been confirmed. Updates and patches to these major vendors should be expected in short order now that the fixes have been released. The harder to define downstream risk exists with other technologies that have OpenSSL embedded. Anything that communicates with the internet securely is a candidate and could potentially use OpenSSL, although versions 3.0 and above are not as pervasive as earlier versions that are not impacted by this vulnerability.
FOLLOW THE PATH TO DOWNLOAD FIXES FOR THE TWO HIGH-SEVERITY VULNERABILITIES HERE.
What You Can Do Now
- Get online and download the OpenSSL 3.0.7!
- Identify the products and services in your environments that are using OpenSSL version 3.0 or higher. We know… easier said than done, but take inventory so you understand exactly where you might be vulnerable, and so that you understand the extent of the patch work that’s required.
- Reach out to your technology and service providers and ask them to be accountable to you regarding their projected remediation timeline.
- From the FAQ on the OpenSSL Project blog: “… If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible.”
Along with the patch comes information on the indicators of compromise (IoCs) that the Pondurance security operations center (SOC) team is now using to actively hunt for and mitigate any threats related to the OpenSSL vulnerability that our clients might incur. If you’re working with a managed security services provider, make sure they’re “on it” and have started the hunt.
Where to Learn More
Some good sources of additional information include:
- OpenSSL Project – All vulnerabilities and links to their fixes
- OpenSSL Project — Downloads
- OpenSSL Security Advisory
- From the Dutch Nationaal Cyber Security Centrum (NCSC-NL): Overview of the software (un)affected by the vulnerability
- SANS Internet Storm Center
Pondurance CISO, Dustin Hutchinson, provided specific guidance to healthcare organizations in the article Healthcare Sector Urged to Address OpenSSL Flaws in HealthcareInfo Security.
Background on this vulnerability leading up to November 1st:
- Dark Reading: Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn
- ZDNet: OpenSSL warns of critical security vulnerability with upcoming patch
- Help Net Security: Incoming OpenSSL critical fix: Organizations, users, get ready!
- SANS Internet Storm Center: Upcoming Critical OpenSSL Vulnerability: What will be Affected? (Note: This includes a quick list of OpenSSL versions for different operating systems)
We’ll Keep You Updated
Like the Log4j vulnerability reported late last year, we go into the end of 2022 with a new and severe vulnerability that could open the door to a flood of cyberattacks. If you’re a Pondurance client, the good news is that you’ve got a great team of highly skilled security professionals who know what to look for, who understand a threat when they see one, and who can take action to mitigate threats immediately.
We’ll stay on top of this evolving situation and report out on any new important findings related to this latest OpenSSL vulnerability.
If you think you’re experiencing an incident and need help, contact our Incident Response hotline at 888-385-1720.