On Thursday, October 27th, 2022, developers of the OpenSSL cryptography library had taken the unusual step of pre-warning that a critical update is due to be announced on Tuesday, November 1, which will address a critical vulnerability. The OpenSSL library is exactly what it sounds like – an open-source implementation of the SSL and TLS cryptographic protocols, which make secure communications possible. Think of the lock icon to the left of your web address in your browser. Not much is yet known about the upcoming critical fix (OpenSSL 3.0.7), other than it is restricted to OpenSSL version 3.0, the latest release line of the library. OpenSSL states it does not affect previous versions. While no details of the upcoming patch, or the critical flaw it tackles, have been released, there is some speculation it centers around a possible DDoS vulnerability. OpenSSL 3.0.x was released in 2021, a factor that hopefully, will limit the extent of the problems Tuesday’s upcoming announcement will reveal.
Chris Dobrec, VP of Product and Industry Solutions, at Armis recommends the following for security teams to do to prepare.
OpenSSL does provide for a command line utility and a quick query will return the results of your SSL library running on any device:
% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
The results above depict a system with an SSL 3.x library in need of the patch that will be released Tuesday, November 1st.
In addition to this check, you may need to search for non-standard installations, as it is possible for systems to also be running application software or appliances that include OpenSSL. Keep an eye out for communications from all your software suppliers, particularly those that supply Internet-facing software or hardware.
While taking the requisite time to identify and remediate the upcoming OpenSSL 3.x vulnerabilities, know that there have been other critical OpenSSL vulnerabilities identified that should be patched along the way: CVE-2016-6309, and the biggest OpenSSL issue of all – Heartbleed, disclosed in 2014 (Heartbleed predates OpenSSL’s severity criteria). Heartbleed allowed remote attackers to expose sensitive data and continued to wreak havoc years after the event. It exposed the Internet’s dependence on small and unfashionable projects run by volunteers, and spawned forks like LibreSSL and BoringSSL that attempted to clean up OpenSSL’s complex codebase.
As additional important information comes to light as we approach November 1st’s release, and thereafter, we will update this post with the most relevant information including how to use Armis to search for and identify all IT, OT, and IoT devices in your environment that are vulnerable to this security flaw.
Join Armis’s latest webinar ‘OpenSSL Vulnerability Explained’ on Wednesday 2nd November 2022 at 11:30 EST/15:30pm GMT to hear from their security experts discuss and explain the latest OpenSSL vulnerability and what it means to you and your firm. Click here to register.