Security Alert | OpenSSL Critical Vulnerability

[social_warfare]

October 28, 2022

Executive Summary

OpenSSL is a popular open-source cryptographic library that allows for secure communication between computer networks and is widely used for traffic encryption on the internet. On Tuesday, October 25, 2022, the OpenSSL Project announced that on November 1, 2022, between 1300 and 1700 (1:00 pm and 5:00 pm) UTC they will be releasing OpenSSL version 3.0.7. This new version of OpenSSL is a security-fix release that will fix a critical vulnerability within the open-source cryptographic library but will not affect OpenSSL versions before 3.0.

According to the OpenSSL Project, a vulnerability that has a severity level of critical “affects common configurations…which are also likely to be exploitable.” However, the details pertaining to the critical vulnerability have not been disclosed due to their policy of keeping such critical vulnerabilities private. But Mark J. Cox, an OpenSSL Project team member, expresses to users that attackers are unlikely to search for and discover the vulnerability before the fixed version is widely deployed due to “the number of changes in 3.0 and the lack of any other context information.”

In 2014, OpenSSL addressed and fixed the Heartbleed vulnerability in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability allowed attackers on the internet to access the memory of the systems utilizing the vulnerable version of OpenSSL This vulnerability allowed for access to sensitive information such as usernames, passwords, and tokens. Given this past occurrence and the impact it had on the users, it’s imperative that users stay vigilant and prepared to patch their systems upon the release of the new OpenSSL version.

Due to the implementation and importance of OpenSSL across various organizations in many industries and the unknown impacts of this critical vulnerability, the Converge / CBI, A Converge Company security team will continue to monitor for developments and determine if any actions are required.

Who’s at Risk

Potentially, hardware devices, operating systems, and software applications utilizing OpenSSL for secure communications.

Recommendations

Inventory instances of OpenSSL within network infrastructure.
Prepare to install a new version of OpenSSL upon the version release in a timely and efficient manner.

Sources

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
https://twitter.com/iamamoose/status/1584908434855628800?cxt=HHwWgMC40eD03P4rAAAA
https://twitter.com/iamamoose/status/1585167771838869505
https://www.helpnetsecurity.com/2022/10/26/openssl-3-0-7-vulnerability-critical-fix/
https://www.openssl.org/policies/general/security-policy.html
https://www.synopsys.com/blogs/software-security/heartbleed-bug/#:~:text=The%20Heartbleed%20bug%20is%20a,evidence%20of%20a%20compromised%20system

About the Author

Threat Intel Group

The Threat Intel Group (TIG) is a critical component of CBI’s Managed Security Services. The TIG’s dedicated team of threat hunters summarize and interpret today’s threats to improve your security posture at scale. Combining globally recognized security methodologies, data and automation with high-level analysis, CBI’s Threat Intel Group provides powerful insights to enhance your organization's security decision-making process. All information is actionable and provides strategic, tactical and operational threat intelligence to raise stakeholders' awareness and embolden proactiveness.