On Thursday, October 27th, 2022, OpenSSL cryptography library developers issued a pre-warning about an upcoming critical update on Tuesday, November 1st to address a high-severity vulnerability. Now, the fix has been released.
It is worth noting that earlier the vulnerability was thought to be the worst ever since Heartbleed in 2014.
What is OpenSSL?
OpenSSL is an important software library used by servers and apps for data encryption over the internet and networks. It is basically an open-source implementation of the TLS and SSL cryptographic protocols to ensure secure communications. Such as you can see a lock button on the left side of your web address when you are surfing the net on your browser. That’s what OpenSSL does.
2 Vulnerabilities Identified in OpenSSL
For your information, Infosec researchers detected two bugs in the OpenSSL platform. As per OpenSSL’s security advisory, the first flaw is tracked as CVE-2022-3602. It could be exploited with a maliciously long email ID verified with an encryption X.509 certificate to overflow 4 threat actors-controlled bytes on the stack, which will force the app or server to crash or lead to remote code execution if the certificate is validated.
However, this needs a CA to sign the malicious certificate or the app to continue certificate verification even if it fails to create a path to a trusted issuer. If the attacker gains control, they can set up the stack to use the overwritten byes for hijacking the program flow.
The second bug, also a high-severity vulnerability, is tracked as, CVE-2022-3786 and is fixed in OpenSSL version 3.0.7. Just like the first one, it triggers a buffer overflow, leading to crashing the app or server after the certificate is signed/accepted. The attacker may craft a malicious email ID in the certificate to overflow an “arbitrary number of bytes containing the ‘.’ character (decimal 46) on the stack,” resulting in a crash and denial of service, the advisory read.
Details of the Patch
Project maintainers had warned about the OpenSSL vulnerability last week that was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations.
However, developers were sure that the bug was unlikely to allow remote code execution. That’s why it was downgraded to high severity on November 1st, 2022 because it couldn’t be exploited through remote code executions in common situations, which is a significant criterion for critical vulnerabilities. The team has not issued a detailed explanation of the patch but it has urged users to apply the patch as necessary.
Assessing the Bugs
As per the IT security researcher Marcus Hutchins, both bugs impacted a “small subset of OpenSSL deployments.” This includes software using version 3.0.0-3.0.6. Operating systems, apps, and servers using these versions must be upgraded to OpenSSL 3.0.7 to fix the bugs.
“Due to the fact OpenSSL 3.0.0 was released in September 2021, it is far less widespread than previous versions. Given the very recent release date, older appliances with hardcoded OpenSSL versions are unlikely to be vulnerable,” Hutchins noted in his blog post.
- GitHub fixes critical Flaw that exposed repositories to attackers
- AttachMe – Oracle Patches “Severe” Flaw in its Cloud Infrastructure
- Critical Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles
- Critical Amazon Ring Vulnerability Could Expose Camera Recordings
- Critical vulnerability allowed hackers to hijack Firefox Android browser