Last week, the OpenSSL Project announced a patch would be released on November 1, 2022, to address a critical OpenSLL vulnerability, the details of which were being kept secret to prevent exploitation of the flaw ahead of the patch being released. The news of the vulnerability caused considerable concern amongst the open source community and beyond due to the extent to which OpenSLL is used – It is extensively used to encrypt communication channels and HTTPS connections, so the implications of such a flaw are enormous.
The news of a critical flaw existing brought back memories of the Heartbleed Bug (CVE-2014-0160) which was exploited to read the memory of systems including servers and routers to eavesdrop on communications. It is now 8 years since that patch was released and there are still 240, 000 publicly accessible servers that remain vulnerable to Heartbleed.
The latest vulnerability affects versions 3.0 to 3.06 of OpenSLL. Version 3 was only released a year ago, so usage of the latest version is limited; however, the vulnerability still has the potential to be extremely serious and has been a major cause of concern. “The short answer is you should be worried,” said Yotam Perkal, Director of Vulnerability Research at Rezilion. As for how worried you should be, Perkal said, “that depends how many vulnerable instances of OpenSSL3.x you have in your environment and do you have the ability to accurately detect them so that you could apply the patch once it’s out.” For many organizations, the answer to the latter will be no. This is why it took so long for the Heartbleed bug to be patched.
The OpenSSL Project announced that the patch for the vulnerability would be released between 13:00 and 1700 UTC on November 1, 2022.
Not One But Two Vulnerabilities
The OpenSSL Project has now confirmed that the vulnerability is not one issue, but two. The two flaws are being tracked as CVE-2022-3602 and CVE-2022-3786, although there is some good news. The severity of the flaws has been downgraded from critical to high severity, and exploiting the flaws would be difficult and require a high level of technical skill.
CVE-2022-3602 is a 4-byte stack buffer overflow that, if exploited, could cause a crash or potentially lead to remote code execution. CVE-2022-3786 is a buffer overflow issue that could be exploited using malicious email addresses in a denial-of-service attack.
The OpenSSL Project said that at the time of releasing the patches, it was not aware of any working exploit in the public domain that would allow remote code execution and that no evidence has been found to indicate either vulnerability has been exploited to date.
The Health Sector Cybersecurity Coordination Center issued an alert about the flaw soon after the OpenSSL Project announced a patch was due for release, warning that exploitation of the flaw was very likely, and may start almost immediately after the publication of the patch. Even though the severity of the flaws is reduced, exploitation is still possible, so prompt patching is recommended if OpenSSL 3.0-3.0.6 has been used. Fortunately, the vulnerable versions of OpenSSL have yet to be heavily deployed in production – Currently, between 7,000 and 16,000 systems are exposed to the Internet and are running vulnerable OpenSSL versions.
Exploitation of the bugs would require a high level of technical skill, which limits the potential for exploitation. Researcher Marcus Hutchins said that while one of the flaws could theoretically lead to RCE, it would be extremely unlikely for the flaw to be exploited and lead to RCE.
That said, OpenSSL warns that “OpenSSL is distributed as source code, we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack, and therefore remote code execution may still be possible on some platforms.”
A list of products confirmed to be affected by the OpenSSL vulnerabilities is being maintained here.
Akamai has released YARA Rules and OSQuery queries that can be used to detect vulnerable instances.
The post OpenSSL Downgrades Bug Severity to High and Releases Patches appeared first on HIPAA Journal.