On October 25th a security vulnerability on the OpenSSL software was announced causing immediate widespread concern among the cyber security community.
OpenSSL has been around since 2012 and is one of the most widely used open-source libraries worldwide, with version 3 released in September 2021. OpenSSL is an open-source cryptography library and is used by applications, operating systems, and websites to secure communications over the internet using Secure Sockets Layer (SSL) and Transport Layer Security (TSL). In simple terms, it secures communications between computers.
Unusually, this vulnerability was first rated as a ‘critical’ by the OpenSSL team, something that is not often seen.
7 days later on November 1st, OpenSSL released more details and applied the following ‘CVE’ records of the identified exploits: CVE-2022-3786 and CVE-2022-3602. These were listed as ‘high’ by OpenSSL which means that the significance of the exploit has been measured to be lower than originally anticipated.
The vulnerability is a denial-of-service for systems that support client certificate-based authentication. An attacker could send a maliciously crafted certificate to a server that passes certificates as part of client authentication and crash the server. The vulnerability does not appear to allow Remote Code Execution (RCE), however OpenSSL states in their advisory that since their codebase is distributed as source code, some product implementations might have implemented the code in such a way that RCE could be triggered on some platforms.
What are the mitigating actions for security teams and how we can help?
The most important task right now for security teams is to identify workloads with potentially vulnerable versions of OpenSSL and prepare for expedited patching to upgrade to the new version of the software.
The only known mitigation at the time of this report is to upgrade to OpenSSL version 3.0.7. Methods has the capabilities to assist our customers by running queries to determine which endpoints are running vulnerable versions of OpenSSL 3.0.
With the threat landscape continuously changing, we believe it’s vital to have the right processes, competence, and expertise in place to keep your systems and data safe. We provide expert independent and tailored advice, and we work towards cyber security that is:
If you would like any assistance understanding your organisation’s current posture, or to find out more, please get in touch with us at firstname.lastname@example.org.