Critical vulnerability in OpenSSL – updated on 1 November 2022

The National Cyber Security Centre SK-CERT reminds that the OpenSSL developers have announced the release of a patch for a critical security vulnerability on Tuesday, 1 November 2022 at 2:00 p.m. (winter time).

Please note that details will be published during our bank holiday. Operators of essential services are therefore strongly advised to place necessary personnel on standby duty during this holiday, to monitor information on the critical vulnerability, and to apply security updates of individual systems as soon as they become available.

Update on 1 November 2022 at 5:10 p.m.: Information about vulnerabilities has already been published. Impacts and mitigations are discussed further in this article.

OpenSSL is a library that is used for encrypted communication in both client and server applications, or in VPN products (email clients and servers, web browsers and web servers, SSL VPN servers).

About vulnerabilities

There are two separate vulnerabilities CVE-2022-3602 and CVE-2022-3786 in certificate verification. The vulnerabilities were named SpookySSL and a thematic logo.

The vulnerabilities can be exploited by using a specially crafted X.509 certificate. An error occurs when the email address field is loaded. If the application verifies the validity of the certificate, the certificate must be signed by a valid certification authority.

Since vulnerabilities cause buffer overflows, they may lead to remote code execution and full breach of confidentiality, integrity, and availability. However, the OpenSSL team’s initial analyses indicate that due to implementation details in selected tested versions of the library, it is not possible to exploit them for remote code execution, only for denial of service – a crash of the affected application. Therefore, their severity was downgraded from CRITICAL to HIGH. Nevertheless, this situation may change.

Proof-of-concept certificates are already available for the vulnerability, the use of which leads to the crash of the vulnerable application.

Affected systems

• OpenSSL libraries in versions 3.0.0 to 3.0.6 are affected. Users should upgrade to library version 0.7, which contains fixes for these vulnerabilities.
• OpenSSL libraries in versions 1.1.1 and 1.0.2 are not affected.
• All applications that use the library in vulnerable versions are affected, including VPN servers and VPN clients, web browsers and email clients.
• On a host operating system that is not affected by the vulnerability, deployed containerised applications may also be affected.

Identifying vulnerable versions of OpenSSL libraries using the YARA rule:

rule openssl_version {

strings:

$re1 = /OpenSSL\s3\.[0-6]{1}\.[0-9]{1}[a-z]{,1}/

 

condition:

$re1

}

 

Recommendations

 

• identify and update affected systems
• use a web application firewall with a non-vulnerable TLS implementation to terminate TLS and to verify client certificate
• disable loading of untrusted certificates
• implement network logging of TLS certificates

 

Sources

• https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ – blog of OpenSSL authors about vulnerability

• https://www.openssl.org/news/secadv/20221101.txt– security warning from OpenSSL authors
• https://isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192/(contains a draft list of affected distributions)

• https://blogs.vmware.com/security/2022/11/vmware-response-to-cve-2022-3602-and-cve-2022-3786-vulnerabilities-in-openssl-3-0-x.html

• https://mta.openssl.org/pipermail/openssl-announce/2022-Octobe/000238.html

« Späť na zoznam