According to the OpenSSL team, on November 1st, 2022, a new version, number 3.0.7 will be released (https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html). It’s interesting to note that it’s very rare for OpenSSL to tag a vulnerability with critical severity as part of a version release (https://www.openssl.org/policies/general/security-policy.html). The latest version will contain a fix to a critical vulnerability. Currently, technical details regarding this vulnerability are not yet available at the time of publication.
OpenSSL is a software library written in C to secure network communications. The library is widely used by Internet servers, including the majority of HTTPS web sites. The protocol HTTPS is used by over 80% of all the websites.
Who is impacted?
All OpenSLL versions between 3.0.0 – 3.0.6 are considered vulnerable. Since the release of OpenSSL version 3.0 on September 7, 2021, the adoption of vulnerable versions of OpenSSL is not as widespread as older OpenSSL versions. It is important to note that in the past, critical vulnerabilities within OpenSSL libraries such as Heartbleed were massively exploited. Our research shows that 78% of organizations could be compromised by new RCE techniques when they arise.
What should we do?
Currently, there is no patch / workaround available provided by OpenSSL, but nonetheless, XM Cyber customers can reduce their cyber risk exposure and should perform the following steps:
- Identify all devices that are running a vulnerable version of OpenSSL
- Correlate between devices found on step 1, to choke points and critical assets identified by XM Cyber
- On Tuesday (November, 1st) be ready to patch the prioritized devices. More details regarding the patch will be released between 13:00 – 17:00 UTC.
Identifying OpenSSL with XM Cyber
XM Cyber’s Attack Path Management can prioritize and remediate choke points leading from the possible OpenSSL exploits to an organization’s critical assets, breaking the possible attack vector – regardless if there is no direct patch or remediation for the vulnerability. That represents a huge value to XM Cyber customers who can see the attack before it happens and cut off attack paths at key junctures and eradicate risk with a fraction of the effort, something many other solutions today do not have the ability to do.
As with recent vulnerabilities like Log4Shell, organizations lack visibility to what applications of theirs use OpenSSL, which makes it very hard for them to know what to tackle first and how. To provide more visibility into risks, we are proactively approaching customers to share the findings from the XM Cyber research team to proactively close security gaps and focus remediation activities.
Note: The XM Cyber Research team will continue updating this blog advisory as more details emerge and a relevant patch is provided.
Update: November 1st – OpenSSL Advisory Released
On November 1st, the OpenSSL team released a security advisory which contains patches for 2 vulnerabilities tagged: CVE-2022-3602 and CVE-2022-3786, both with High severity.
Our initial blog referred to CVE-2022-3602. The OpenSSL team at first tagged the vulnerability with Critical severity, but after additional research, they changed the severity to High. The team said that currently, there is no evidence that the vulnerabilities are being exploited in the wild.
The change is due to the fact that it is less likely to be exploited as modern systems implement stack overflow protection. In addition, right after their release, DATADOG Security Labs released a technical blog with additional information regarding CVE-2022-3602. DATADOG Security Labs were able to create a denial of service attack (DoS) on Windows and some of the Linux distributions. In addition, they said that on Linux, the vulnerability may not be exploitable.
Even though it seems that the vulnerability severity is reduced and exploitation is less likely, we are recommending to update vulnerable endpoints to OpenSSL version 3.0.7
- 2022-10-31: Initial Security Advisory
- 2022-11-02: Updated advisory with additional information from the OpenSSL team