On October 25, the OpenSSL team has announced that a security patch for a critical vulnerability in OpenSSL version 3.x was being prepared. In addition to that the forthcoming patch will be released on Tuesday, November 1, 2022, between 1300 and 1700 UTC.
This security announcement aroused a curiosity in the community as It was widely used and the security team rated the vulnerability “critical“. As The ThreatMon Team, we researched the vulnerability and wanted to share our new findings with you through this article.
What is OpenSSL?
OpenSSL is an open-source software that is used in order to establish secure network communication using SSL/TLS protocols. It bears the role of creating, signing, and distributing a certificate. It was written in C programming language and is able to work in Windows and Linux like operating systems such as Linux,macOS, BDS.
What is the scope of the vulnerability?
The vulnerability applies for OpenSSL 3.0.0 or above and vulnerable to the mentioned critical security vulnerability. With the release of OpenSSL 3.0.7, an upcoming security patch was announced by the OpenSSL team.
What known applications are vulnerable to the announced vulnerability?
Most of the currently used OpenSSL applications are in either version 1.1.1 or 1.02. However, Linux distros generally come with OpenSSL. If you are a Linux user, checking whether using one of the versions below, is important to avoid the vulnerability.
- Debian 12
- Fedora 36
- Kali 2022.3
- CentOS Stream 9
- Ubuntu 22.04+
- Redhat Enterprise Linux 9
As The Linux distros above come already with OpenSSL 3, they are vulnerable to the mentioned vulnerability. In case of any future problems, we highly advise you to check your OpenSSL version by typing “OpenSSL version” in your terminal.
Additionally, as Node.js 18.x and 19.x versions use OpenSSL 3 by default, we assume that a security patch will be released for Node.js. You can follow the patch here.
What are the possible outcomes of the vulnerability?
Because of lacking details and not having a CVE number yet We don’t know the exact outcomes of exploiting the vulnerability. On the other hand, as far as we know from the statements of the OpenSSL team, the severity level of the vulnerability was rated “critical”.Vulnerabilities with the severity level of critical generally can be remotely exploited with ease or can expose sensitive information about the target.
To give an example, In the case of exploitation of the critical security vulnerability (Heartbleed – CVE-2014-0160) in OpenSSL in 2014, unauthorized access on the Client or the Server side on a RAM space with the size of 64kb could be done. Thus, all the encrypted data that was stored in the server’s memory could be read.
Based on the example above, OpenSSL Team’s making announcement about a critical vulnerability tells us that it has the potential of having a high-level impact on targets.
How can I protect myself from the OpenSSL 3 vulnerability?
OpenSSL released OpenSSL 3.0.7 on November 1, 2022. This version has the required security updates for the vulnerability. It is advised that you should check on the OpenSSL versions of your applications and update the applications with OpenSSL 3.0.0 or above to the version OpenSSL 3.0.7 by our team. For the OpenSSL 3.0.7 Update, you can visit this link.