Security Update: OpenSSL High Vulnerability (CVE-2022-3602)

*Update: The OpenSSL team have released details of the vulnerabilities and a patch which is available on their website.

The vulnerability (CVE-2022-3602) that caused mass speculation online was downgraded to High following a secondary review from those involved with the OpenSSL project. This was due to a handful of limitations and modern system protections, which, when combined significantly reduce the likelihood of real world exploitation.

We recommend that you continue to patch according to your normal schedule for High severity weaknesses.

The OpenSSL team have released a comprehensive blog post explaining the situation, along with an accompanying FAQ which is available at  https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/.

About the vulnerability

The OpenSSL project has pre-announced a new and critical vulnerability that will be fixed in OpenSSL version 3.0.7, expected 1 November 2022. Updates to this announcement will be amended as new information and guidance becomes available.

OpenSSL has released a statement pre-notifying the InfoSec community about a critical vulnerability within OpenSSL 3.0.X. The older LTS branch of 1.1.1 is unaffected by this vulnerability. Due to an NDA between the OpenSSL team and other parties, no further information is available until the OpenSSL team release a patch. This will be available, along with specific vulnerability information on the 1 November between 1pm and 5pm GMT when the embargo is lifted.

How will this impact you?

Some vendors have been trying to identify the wider impact of this vulnerability. For example, Docker estimates that 1,000 of its official images could be impacted by this vulnerability. Alternatively, Wiz have scanned its cloud infrastructure and estimate that only 1.5% of the scanned cloud targets have OpenSSL version 3 available. The saving grace here is that only recent Linux distributions come with OpenSSL version 3 included with their releases, such as Ubuntu 22, Debian 12 and RHEL 9.

At Intruder, we don't think it’s time to panic. But you should be aware of the information available from OpenSSL and your vendors, who will need to release their own patches following tomorrow's OpenSSL patch.

In a post-Log4j world, the InfoSec community is sensitive to any vulnerabilities deemed critical within libraries or frameworks which are exploitable within a “default or common configuration”. We've seen this with Spring4Shell and the Apache Commons Text vulnerability. These, and the subsequent lack of information, have caused some experts to work themselves up into a frenzy, spreading misinformation and deleting posts from some source posts.  

However, others such as Kevin Beaumont have been the voice of reason over the past few days, keeping the conversation grounded in facts.  

What do we recommend while you wait?

1. The most important step is to determine your exposure and understand where OpenSSL 3.0.X is used in your systems. While it isn’t possible to remotely detect every instance of OpenSSL, you can view identified versions via Intruder's Network View.  

2. Run regular scans over the coming weeks to ensure this data is as up-to-date as possible to identify any vulnerable systems. However, in order to detect those services which do not disclose version information, the most reliable (albeit time consuming) method is to query package managers on devices to determine the version installed.

3. Once all of the vulnerable versions have been identified, the next step is to mitigate any exposures. First prioritise externally-facing and mission-critical systems. This can be achieved via patching applications which use the library and performing system updates when they become available following the release of 3.0.7 tomorrow.

What is Intruder doing for you?

This OpenSSL vulnerability has the potential to cause a major impact to systems and organisations worldwide. While it is unknown if this vulnerability will lead to mass exploitation like Heartbleed, you should take steps now to identify your risk and limit your exposure to the maximum extent possible.  

Our updated Network View helps identify exposed services which disclose the OpenSSL version number. In addition, our security team will be monitoring developments as soon as the embargo is lifted. The security team will also perform manual Rapid Response checks for Vanguard clients, and notify any customers affected by any exposures to this vulnerability.

Use this time to find where your OpenSSL 3.x is used, ready for the patch tomorrow. It goes without saying that having a regular, automated vulnerability scanner such as Intruder in place will ensure that critical components in your systems are always monitored for the latest updates and patch levels.  

Not using a vulnerability scanner yet? Sign up here to scan your systems for vulnerabilities and see your attack surface as it appears to real hackers.

Useful links

• OpenSSL: https://www.openssl.org/news/newslog.html

• NodeJS: https://nodejs.org/en/blog/vulnerability/openssl-november-2022/

‍