The New OpenSSL Critical Vulnerability - Early Information and Detections
News / Posted November 01, 2022
This article will cover what we know so far, how AppCheck customers can detect the issue and details of how we can help if you’re not an existing customer. We will be updating the article as new information arises so keep checking back.
OpenSSL has now released an official advisory that can be found here: https://www.openssl.org/news/secadv/20221101.txt
Leading up to the release of this advisory, the OpenSSL team warned of a Critical issue, making it only the second OpenSSL vulnerability in history to be given that rating. Much of the infosec industry has been braced for a serious security flaw in the same vein as the OpenSSL Heartbleed vulnerability disclosed in 2014.
However, based on the initial advisory it appears that the discovered flaws has several key mitigating factors that are likely to make exploiting either of the vulnerabilities exceptionally difficult.
The OpenSSL team make the following statement in their advisory:
“Pre-announcements of CVE-2022-3602 described this issue as CRITICAL.
Further analysis based on some of the mitigating factors described above
have led this to be downgraded to HIGH. Users are still encouraged to
upgrade to a new version as soon as possible.”
At a high level, to exploit either of these flaws the attacker would need to trick a vulnerable OpenSSL client into connecting to a malicious server or have a server that requests client SSL authentication (relatively rare) from a malicious client. In either case, exploitation occurs after signature validation meaning that the malicious certificate would need to be signed by a certificate authority.
Each of these constraints appears to make reaching the vulnerability difficult.
Furthermore, only one of the reported flaws is described as potentially allowing remote code execution, however the OpenSSL team goes on to make the following statement:
“Many platforms implement stack overflow protections which would mitigate
against the risk of remote code execution. The risk may be further
mitigated based on stack layout for any given platform/compiler.”
At the current time both of the reported vulnerabilities appear to be difficult to reach and difficult (or potentially impossible) to exploit to yield anything beyond Denial of Service.
OpenSSL Critical Vulnerability – Early Information
On the 25th October the OpenSSL project team announced a new release detailing a CRITICAL security fix to be released on 1st November.
From what we understand so far it looks to be an out-of-bounds read related to SHA-3 operations. This would allow the remote attacker to read process memory to disclose sensitive data such as private keys, session tokens and other sensitive data.
AppCheck has added preliminary checks to the scanner for the Critical OpenSSL vulnerability known to be effecting versions 3.0.0 to 3.0.6. and if detected it will be reported as a critical finding, at the time of writing we are awaiting for a fixed patch for 3.0.7 to be released before we can know more about the exact nature of the vulnerability.
Once this happens we will update our findings with more details, including the CVE number, for now it’s strongly recommended to be prepared to patch or switch off vulnerable exposed systems.
OpenSSL Critical Vulnerability Detections (for AppCheck customers)
AppCheck has added preliminary checks for the Critical OpenSSL vulnerability known to be effecting versions 3.0.0 to 3.0.6. And if detected it will be reported as a critical finding when running credentialed infrastructure scans.
Alongside your regular scans, we recommend performing checks manually across your estate with the command “openssl version” on any host with openssl installed.
We will endeavour to release any further information as the situation unfolds through our blog channel and our Support Centre.
Please check our guide on credentialed infrastructure scanning if you need assistance with the detections.
Here’s some handy screenshots so you know you’re in the right place:
Not an AppCheck customer? You can still detect it.
If you’re not an AppCheck customer, don’t worry. Our sales team are on hand to advise how we can assist. Alternatively you can become and AppCheck customer and have access to our findings immediately when the next big vulnerability arises.
Get in touch: firstname.lastname@example.org
More information as and when it arises. Last updated 9:00am 01/11/2022.
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380