Threat Response: Critical vulnerability in OpenSSL 3

31-10-2022

A SAFE DIGITAL JOURNEY

On the 25th of October, the developers of OpenSSL[1] announced that a critical security update will be released for OpenSSL version 3 on the 1st of November between 13:00 and 17:00 UTC[2]. At this point, no details about the vulnerability are known, but OpenSSL appoints this classification if the vulnerability impacts common configurations and is likely to be exploitable[3]. Because many applications utilize the OpenSSL library, we want to inform you about the potential impact and provide you with actions that can be taken beforehand through this Threat Response. The vulnerability only impacts version 3 of OpenSSL, which was released in the summer of 2021. Software that utilizes an older version is not vulnerable.

Description

OpenSSL is a popular software product that that is used to encrypt digital communication and data using TLS/SSL. OpenSSL is commonly used in solutions that are found on: servers, endpoints, operational technology (OT), Internet of Things (IoT), network equipment, etc.

Impact

There is no information about the vulnerability in the OpenSSL software library, other than that the vulnerability specifically impact version 3. At the point of writing, there are no indications that the vulnerability is being exploited at this moment. Based on the ‘critical’ classification by OpenSSL, Northwave assumes that (future) exploitation of the vulnerability will have a high impact. Additionally, we expect that publications from the cyber-security community will follow with examples on how to exploit the vulnerability soon after the update has been released by OpenSSL.

Risk

Because of the popularity of OpenSSL and widespread usage of software that utilizes OpenSSL[4][5], Northwave estimates the risk as high. Depending on the exact vulnerability, it might be possible that exploitation could allow for remote code execution or the compromise of secured communication.

Mitigation

OpenSSL will release a security update on Tuesday, 1st of November between 13:00 and 17:00 UTC that will mitigate the vulnerability[2]. Following this, vendors will be able to integrate the new version into their products and release updates for these products.

What should you do?

Northwave recommends performing the following actions:

  • Proactively start inventorying the usage of OpenSSL version 3 within the organization. Consider all applications like: (TLS) proxies, VPN Servers, load balancers, and services provided by external vendors. Pay particular attention to systems that can be accessed from the internet.
  • Implement the security update of OpenSSL (version 3.0.7) as soon as suppliers have implemented the security update in their software.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. We will also investigate whether any additional action can be taken based upon available information within our monitoring services.

You can call us by phone or send us an email if you would like additional information.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: OpenSSL organisatie – https://www.openssl.org/

[2]: Forthcoming OpenSSL Releases – https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

[3]: OpenSSL Security policy: Issue severity CRITICAL – https://www.openssl.org/policies/general/security-policy.html

[4]: Forks en Stars on Github openssl/openssl – https://github.com/openssl/openssl

[5]: Public statistics of OpenSSL usage – https://trends.builtwith.com/Server/OpenSSL

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.