CTI Flash Briefing:
Critical OpenSSL Vulnerability Release
Update post Patch Release
With an update right at their listed deadline, we now have all the details and the vulnerability has been downgraded officially from a CRITICAL to a HIGH across two CVE’s.
CVE-2022–3602 and CVE-2022–3786:
CVE-2022–3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE).
CVE-2022–3786 can be exploited via malicious email addresses sent by an attacker to trigger a denial of service state via a buffer overflow.
From the official OpenSSL blog:
Q: What should users do?
A: Users of OpenSSL 3.0.0–3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible.
Q: Does this impact releases prior to 3.0?
A: No, the bugs were introduced as part of punycode decoding functionality (currently only used for processing email address name constraints in X.509 certificates). This code was first introduced in OpenSSL 3.0.0. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected.
We did release an update to OpenSSL 1.1.1, namely 1.1.1s, also on 1st November 2022, but this is a bug fix release only and does not include any security fixes.
Q: Are these issues being exploited in the wild?
A: We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post.
Overview
OpenSSL is a software library used to secure communication across the internet by helping to implement cryptographic functions in networking implementations. OpenSSL is an open-source implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Web servers and the majority of HTTPS websites use OpenSSL in their configurations to keep people safe. Last week they released a statement that a critical vulnerability in OpenSSL version 3.0 and above would be vulnerable and would need to be patched up to version 3.0.7, which is being released today.
Background
The OpenSSL project team released an official statement on Tuesday October 25th. It said they would be releasing the updated version on November 1st, 2022, between the hours of 1300–1700 UTC. For the Eastern U.S., that is 9 a.m. to 1 p.m. This would be a new version to fix a CRITICAL vulnerability. A CRITICAL vulnerability is defined by the OpenSSL Project as one in which it affects common configurations, and which are also likely to be exploitable. Details of the exact vulnerability or any Indicators of Compromise (IOCs) that we could use for detection were not released at that time. They did give the warning a week ahead of time so all organizations that needed time to prepare for this update and patch ASAP would be ready to go once the new update was released.
Response
The best response is to prepare any systems ahead of time for this patch, if possible, to make sure they are fully patched and are not going to complicate patching by adding to the timeframe and complexity. Once the patch is released, patch systems in an organized manner with the most exposed systems, such as front facing web servers or systems in the DMZ, being first on the list. Each vendor will have their own set of steps for remediation, please continue to monitor for those system patches tied to the OpenSSL vulnerability as they also become available for download and installation. The SANS Internet Storm Center posted information on a quick list of OpenSSL versions installed by default by Operating System, if you want to do a sanity check on your systems.
Conclusion
We will continue to work with our internal SOC staff to support all our customers with patching, if you have any questions or would like assistance with your IT/IS systems and support, please reach out and we would love to discuss those needs with you and your teams.
Contact Us
