OpenSSL vulnerability now rated ‘high’ but should be taken seriously
November 2, 2022 – Published on IT World Canada
The vulnerability in OpenSSL that forced the project’s leaders to issue a security patch on Tuesday isn’t as bad as initially feared, with the hole’s severity shifted from “critical” to “high.”
Still, experts say infosec leaders need to take it seriously.
OpenSSL 3.07 fixes a buffer overrun vulnerability in version 3.0 that can be triggered in X.509 certificate verification.
Most organizations should ensure there is an inventory of where OpenSSL is used and what versions, wrote Jorge Orchilles, a SANS principal instructor and chief technology officer at Scythe. For OpenSSL 3.x solutions, see where and how to apply the patch, he said. Then focus on understanding the implementation of the solutions using OpenSSL 3.x that cannot be patched yet and see if there is a possibility of those implementations being exploitable.
The update fixes two similar issues, CVE-2022-3786 and CVE-2022-3602. Both create buffer overruns that can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the ‘.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
“Exploiting this vulnerability requires quite a bit of set up and a number of factors to fall into place before it could be leveraged, said Victor Wieczorek, VP of application security, threat and attack simulation at GuidePoint Security.” Organizations should perform analysis to see if they are impacted, although there are relatively limited affected systems, as the attack primarily impacts the client-side, not the server. Technologies like SCA (software composition analysis) tools can help organizations identify where these components are, so they can create an inventory and then a plan for remediation based on risk.”
Read More HERE.