Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

On Thursday, October 27th, 2022, OpenSSL cryptography library developers issued a pre-warning about an upcoming critical update on Tuesday, November 1st to address a high-severity vulnerability. Now, the fix has been released.

It is worth noting that earlier the vulnerability was thought to be the worst ever since Heartbleed in 2014.

What is OpenSSL?

OpenSSL is an important software library used by servers and apps for data encryption over the internet and networks. It is basically an open-source implementation of the TLS and SSL cryptographic protocols to ensure secure communications. Such as you can see a lock button on the left side of your web address when you are surfing the net on your browser. That’s what OpenSSL does.

2 Vulnerabilities Identified in OpenSSL

For your information, Infosec researchers detected two bugs in the OpenSSL platform. As per OpenSSL’s security advisory, the first flaw is tracked as CVE-2022-3602. It could be exploited with a maliciously long email ID verified with an encryption X.509 certificate to overflow 4 threat actors-controlled bytes on the stack, which will force the app or server to crash or lead to remote code execution if the certificate is validated.

However, this needs a CA to sign the malicious certificate or the app to continue certificate verification even if it fails to create a path to a trusted issuer. If the attacker gains control, they can set up the stack to use the overwritten byes for hijacking the program flow. 

The second bug, also a high-severity vulnerability, is tracked as, CVE-2022-3786 and is fixed in OpenSSL version 3.0.7. Just like the first one, it triggers a buffer overflow, leading to crashing the app or server after the certificate is signed/accepted. The attacker may craft a malicious email ID in the certificate to overflow an “arbitrary number of bytes containing the ‘.’ character (decimal 46) on the stack,” resulting in a crash and denial of service, the advisory read.

Details of the Patch

Project maintainers had warned about the OpenSSL vulnerability last week that was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations.

However, developers were sure that the bug was unlikely to allow remote code execution. That’s why it was downgraded to high severity on November 1st, 2022 because it couldn’t be exploited through remote code executions in common situations, which is a significant criterion for critical vulnerabilities. The team has not issued a detailed explanation of the patch but it has urged users to apply the patch as necessary. 

Assessing the Bugs

As per the IT security researcher Marcus Hutchins, both bugs impacted a “small subset of OpenSSL deployments.” This includes software using version 3.0.0-3.0.6. Operating systems, apps, and servers using these versions must be upgraded to OpenSSL 3.0.7 to fix the bugs.

“Due to the fact OpenSSL 3.0.0 was released in September 2021, it is far less widespread than previous versions. Given the very recent release date, older appliances with hardcoded OpenSSL versions are unlikely to be vulnerable,” Hutchins noted in his blog post.

  1. GitHub fixes critical Flaw that exposed repositories to attackers
  2. AttachMe – Oracle Patches “Severe” Flaw in its Cloud Infrastructure
  3. Critical Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles
  4. Critical Amazon Ring Vulnerability Could Expose Camera Recordings
  5. Critical vulnerability allowed hackers to hijack Firefox Android browser

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…