On October 25 The OpenSSL Project Team announced the forthcoming release of OpenSSL version 3.0.7. The team hasn't shared many details but does mention that the update comes on November 1 and will include a patch for a new critical CVE.
This is one of the important and critical updates as the OpenSSL Project announced a “critical” vulnerability in versions 3.0 and above of the vastly-popular cryptographic library for encrypting communications on the Internet.
OpenSSL is an open-source project that provides easy-to-use cryptographic functions and is used to secure communications around the world. In simple words 'the internet runs on OpenSSL'.
OpenSSL rates their security issues and we can see that in order for a critical to be issued, the vulnerability must affect the common configuration, and leading to private key disclosure or is easily exploited remotely. This combination of items for an exploit developer definitely points to it being a target of interest.
Why this OpenSSL Flaw is Important?
As we noted above 'the internet runs on OpenSSL' and everyone depends on OpenSSL. You may not know it, but OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems.
Researcher warns that this OpenSSL Flaw could be another Log4Shell situation because it is more ubiquitous than Log4j, the Java logging library.
Log4j (version 2) was affected by the Log4Shell (CVE-2021-44228) vulnerability disclosed nearly a year ago. the ubiquitous nature of this library, the severity of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.
Log4Shell (CVE-2021-44228) is a zero-day vulnerability in the popular Java logging library log4j (version 2), was discovered that results in Remote Code Execution (RCE) simply by logging a certain string.
According to the OpenSSL team’s security policy, a vulnerability of Critical Severity “affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations.”
Who are Impacted?
According to the initial advisory, this vulnerability only affects OpenSSL versions 3.0.0 through 3.0.6.This means that older operating systems and devices are likely to not affected by the issue.
However, Red Hat Enterprise Linux (RHEL) 8.x and earlier and Ubuntu 20.04 not affected by it. RHEL 9.x and Ubuntu 22.04, may be vulnerable as it use OpenSSL 3.x.
Here are list of the distributions or product which may be affected -
Vulnerable | Not Vulnerable |
---|---|
|
|
What To Do for Mitigation?
As there is no much information available regarding the vulnerability nor any CVE has been assigned and update will also get arrive on 1st November, so till then we have to wait.
If you wants to confirm your system is affected or not then check the above list or else check the OpenSSL version on your system by just typing openssl version
command on the terminal.
History of Popular OpenSSL Vulnerability
OpenSSL is an open source version of the SSL and TLS security protocols, which provide encryption and server authentication over the Internet. Any significant security flaw in OpenSSL technology has the potential for massive impact, due to the ubiquitous nature.
There was multiple flaws that affect OpenSSL, but two of them are most popular, which are -
Heartbleed Bug (CVE-2014-0160): Heartbleed vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.
OpenSSL 1.1.0a Vulnerability CVE-2016-6309 : CVE-2016-6309 was a Use-After-Free (UAF) vulnerability that affects OpenSSL Version 1.1.0a, was triggered when processing large messages and only affected a single release version. The remote attackers can cause the OpenSSL server to crash, or execute arbitrary code on it, by simply sending a handshake packet with a message larger than 16KB.