What Happened?
A high critical vulnerability (CVE-2022-3786, CVE-2022-3602) was discovered in OpenSSL, a popular open source cryptography library that many applications, operating systems and websites use to secure communications via Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
OpenSSL version 3.0.0 is affected. Version 3.0.7, which is now available, to be released between 13:00-17:00 UTC (9 am – 1 pm ET) will fix the issue, according to the OpenSSL team. The vulnerability primarily affects clients rather than servers.
Update 11/1 @ 1:30 PM ET: The vulnerability rating was downgraded to high.
How Bad is This?
Technical details are not yet released, but the OpenSSL project provides some information on what it considers high:
“This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.”
This is not the first OpenSSL vulnerability; in 2014, Heartbleed (CVE-2014-0160) affected thousands of web servers, enabling attackers to access the parts of OpenSSL’s memory that should be private — which could include SSL private keys.
It is currently not yet clear whether this vulnerability will have the impact that Heartbleed did, but some experts are speculating that it will be similar or worse.
What Should I Do?
Prioritize patching as soon as OpenSSL version 3.0.7 is made available — it is now available between 13:00-17:00 UTC (9 am – 1 pm ET). The OpenSSL Git repository should have the latest version at https://github.com/openssl/openssl or https://www.openssl.org/source/.
Users wondering what to patch first should follow this prioritization list below:
- External-facing machines that can be reached via the internet.
- Systems that host shared services amongst multiple users.
- All other affected hosts.
How To Detect
OpenSSL provides a command line utility and a quick query will return the results of your SSL library running on any device:
% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
The example shows a vulnerable version of OpenSSL. This device will require an update to 3.0.7.
Other scanning resources include https://www.ssllabs.com/ssltest/ for web scanning and https://github.com/rbsec/sslscan for command line scanning.
You can also check this list to see whether a vendor is vulnerable or not.
Alternatively, you can check your vulnerability scanner results and/or next-generation endpoint protection tools such as SentinelOne, Crowdstrike, etc. for affected devices on your network that have the endpoint agent installed.
For all other non-standard installations of OpenSSL, keep an eye out for software vendors to provide details on updating their application software that runs on OpenSSL.
Sign Up For Your Free Account
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Nick Brigmon
A Detroit native and graduate of Eastern Michigan University’s outstanding Information Assurance program, Nick has been working full time in IT for over six years. The last five years of his career have been dedicated exclusively to Information Security first as a Security Analyst for NetWork Group’s Managed Detection...
More from the blog
View All PostsNew Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read MoreFortinet SSL-VPN RCE Vulnerability (CVE-2022-40684) Exploited In The Wild
Read MoreZero-Day RCE Vulnerability CVE-2021-44228 aka Log4Shell Affects Java
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.