The OpenSSL vulnerability is big news. Why? This one is the OpenSSL bug with the highest level of risk since the infamous Heartbleed way back in 2014. It has since resulted in the release of two common vulnerabilities and exposures (CVEs). This is important when you consider that OpenSSL is a very large software code library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is widely used by just about any application. Its purpose is to secure communications over computer networks and protect them from eavesdropping or any need to identify the party at the other end. It is heavily used by Internet servers and most HTTPS websites.
CVE-2022-37786 and CVE-2022-3602 both concern a buffer overrun that can be triggered in X.509 certificate verification, specifically in name constraint checking. This happens after certificate chain signature verification and requires either a signed malicious certificate or for an application to continue certificate verification despite failure to build a path to a trusted issuer. As a result, an attacker can craft malicious email addresses in certificates to overflow a certain number of bytes. This buffer overflow can result in denial of service.
The good news is that these vulnerabilities have been downgraded from critical to high risk (though they are still serious) due to the fact that many platforms implement stack overflow protections to mitigate against this kind of remote code execution. The risks posed by these vulnerabilities can be further mitigated based on the stack layout for different platforms and compilers. That doesn’t mean there is no urgency. Users should upgrade to a new OpenSSL version (OpenSSL 3.0.7) as soon as possible.
Not Another Heartbleed
The initial panic on this one has subsided somewhat since security researchers realized it was not so devastating as what happened with Heartbleed 8 years ago. Heartbleed enabled malicious users to trick vulnerable web servers into sending sensitive information, including usernames and passwords. It caused complete devastation in its heyday. Some analysts said that it affected roughly one in every six SSL servers. Part of the problem was that certain requests within OpenSSL, at that time, weren’t checked for accuracy. This meant that attackers could easily trick an SSL server into allowing malicious access to parts of its memory that should have been kept secure. By letting an attacker see the contents of a memory buffer containing sensitive information, for example, they could sometimes gain the SSL private keys to allow decryption of secure communications as well as usernames and passwords. You can read more about it and what Heartbleed did to enterprise systems in CVE-2014-0160. That vulnerability ended up costing organizations around the world as much as half a billion dollars according to some estimates due to the need to revoke and replace SSL certificates.
Heartbleed is Still Being Hacked
Despite it being so old and so virulent, hackers continue to exploit Heartbleed. There are still servers around that have not yet installed the patch that fixes the bug. How many? SANS Institute figures put the number of servers that remain vulnerable at close to a quarter of a million in late 2020. It may have come down somewhat since then. Nevertheless there are still a lot of servers out there that remain vulnerabule to a prehistoric bug.
This fact makes it clear that organizations need all the help they can get when it comes to fixing known vulnerabilities. Systems should be scanned to find any and all servers that are vulnerable to the latest OpenSSL vulnerability. But they should also check for any remaining Heartbleed issues, too. The CVEs cover the various steps required for remediation. But the basic action is to deploy the necessary patches as soon as possible.
Syxsense takes the uncertainty out of patch deployment. It scans all servers, endpoints, and systems for vulnerabilities and automatically deploys patches anywhere and everywhere across the network to fix serious issues fast. It can take care of OpenSSL issues rapidly. After a rapid setup, administrators can rely on it to patch systems thoroughly and fast.
For more information, visit www.syxsense.com
