A warning has been issued to the healthcare and public health sector about a critical vulnerability in the OpenSSL software library. OpenSLL is an open source cryptographic library that is used by most operating systems and applications for implementing Transport Layer Security for secure Internet communications, including connections to websites and web applications.
The OpenSSL project team says the vulnerability affects OpenSSL versions 3.0 to 3.0.6, but does not affect OpenSSL 1.1.1 or LibreSSL. Details about the exact nature of the vulnerability have yet to be disclosed to limit the potential for exploitation. Further information about the vulnerability is expected to be released along with the patch, which will be applied in OpenSLL version 3.0.7. At present, no CVE code has been assigned.
While vulnerabilities have been announced by the OpenSLL project team in the past, critical vulnerabilities are very rare. A critical vulnerability is one that affects common configurations and is likely to be exploited. In 2014, OpenSLL discovered a critical vulnerability dubbed Heartbleed, which could be exploited to obtain passwords or encryption keys. The flaw allowed anyone on the Internet to read the memory of systems that used vulnerable OpenSLL versions. The bug was rapidly exploited by threat actors to eavesdrop on communications, steal data directly from services and users, and to impersonate services and users. Because OpenSLL is so extensively used, the severity of such a vulnerability is enormous. Patching every instance where OpenSSL has been used could take considerable time.
The Health Sector Cybersecurity Coordination Center (HC3) explained in a cybersecurity alert that threat actors are likely to attempt to exploit the vulnerability at large scale, and warns that exploitation may begin very soon after the patch is released. Cybercriminal and nation-state threat actors are likely to immediately begin reverse engineering the patch as soon as it is released to determine the technical details of the vulnerability to allow an exploit to be developed.
HC3 urges all HPH sector organizations to treat this vulnerability with the highest priority and ensure the patch is applied rapidly. In order for that to happen, it will be necessary to find all instances where OpenSSL has been used. OpenSSL Project team says the patch will be released between 13:00 and 1700 UTC on November 1, 2022.
UPDATE November 1, 2022 – The OpenSSL Project has confirmed that there are two vulnerabilities, which are high-severity rather than critical, but immediate patching is still strongly recommended as one can lead to remote code execution. More information is available in this post.
The post Patch Due for Release on November 1, 2022 to Fix Critical OpenSLL Vulnerability appeared first on HIPAA Journal.