OpenSSL Fixes High Severity Data-Stealing Bug

July 1, 2023

OpenSSL fixes High Severity Data-Stealing Bug. It is a cryptography toolkit that implements the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.

It’s an open-source, general-purpose library used by numerous websites and applications for secure communications over the Internet.

License: Apache License v2

This means it can be freely re-released and distributed. It’s a popular choice among developers; often included as part of software packages as part of the application bundle.

CVE-2022-3602

Recently, the OpenSSL team issued two fixes for a data-stealing bug affecting its widely used SSL library. CVE-2022-3602 and CVE-2022-3786 are two newly discovered buffer overflow vulnerabilities in OpenSSL which could allow malicious actors to execute arbitrary code on affected machines.

Contrary to Heartbleed, these bugs do not need an external attack vector or malformed certificate in order to be exploited. Instead, they are activated when an malicious client connects to a vulnerable TLS server.

This means attackers can access sensitive information from any software or service that utilizes the library, such as messaging clients, web browsers, network attached storage (NAS) devices, security gateways and server software with direct OpenSSL dependencies. The vulnerability was downgraded from critical to high severity; hence why security researchers are encouraging users to upgrade to the latest version of OpenSSL and patch any applications or services using it.

A small subset of servers and apps running OpenSSL versions 3.0.0 to 3.0.6 are vulnerable. To resolve the issue, these systems must be upgraded to the most current version of OpenSSL – 3.0.7 – available now.

CVE-2022-3602 was initially classified as critical and could have been exploited through Remote Code Execution (RCE). However, the security team determined this wasn’t likely to occur in common scenarios like when a server or app accepts a certificate before attempting client authentication. Thus, this made the bug difficult to exploit; on November 1st, 2022 it was downgraded from critical severity.

In the meantime, users can check if their software is vulnerable using tools like Censys’ or NCSC-NL’s list of potentially affected products. These services also allow them to determine whether this vulnerability affects a specific server or application.

These vulnerabilities are caused by an implementation error in the popular OpenSSL library, which provides cryptographic services like SSL/TLS. They’re especially significant because they could allow an exploit to steal private keys, encrypted files and other secrets.

To prevent exploiting this vulnerability, administrators should upgrade to the latest version of OpenSSL (v3.0.7) or enable certificates for verification before connecting to a vulnerable TLS server. Doing so will mitigate the issue and make it easier to detect if any machines on your network still use older versions of OpenSSL.

Notify all affected applications and services of this issue, including any server or application that relies on OpenSSL for SSL/TLS client authentication.

It is possible to mitigate this issue by disabling certificate validation in OpenSSL 3.x, though this isn’t always feasible and may necessitate some rework in how applications and services handle TLS authentication. Furthermore, these attacks are unlikely to pose a major threat since many modern systems already have stack-buffer-overflow mitigations installed which would block any infoleak attempts.

CVE-2022-3786

The OpenSSL Project has taken action to fixes two high-severity data-stealing bug in its core cryptographic library used for SSL and TLS, CVE-2022-3786 and CVE-2022-3602, that affected OpenSSL versions 3.0.0 through 3.0.6. The vulnerabilities have been patched in a newly released version of the library – OpenSSL 3.0.7.

According to the OpenSSL team’s blog post, this security flaw should be patched immediately. It could enable remote code execution (RCE) and denial of service attacks that could cause significant business disruption as well as financial losses.

OpenSSL has revised their original rating of this vulnerability down to “high,” due to technical barriers that must be overcome for it to be exploited. Furthermore, modern application runtimes now contain stack overflow protections which make them less vulnerable to exploitation.

According to the OpenSSL Project, there are no known proofs of concept or exploits for either issue. Furthermore, most affected platforms provide stack buffer overflow protections which reduces the risk of RCE attacks.

In order for an attack to succeed, certain conditions must be met. These include client authentication and malicious client connecting. Furthermore, the exploitation target must run an insecure version of OpenSSL with no other mitigations such as stack overflow detection which is easily disabled.

Therefore, it is essential to prioritize a patching strategy and conduct an assessment of the environment to identify any vulnerabilities. Furthermore, customers should guarantee that OpenSSL is up-to-date on all servers, as well as recompile or patch any local applications which utilize the OpenSSL library.

Eight years after the Heartbleed bug, organizations should be able to detect this vulnerability. To do so, organizations can utilize SentinelOne’s platform which enables them to perform simple queries in its management console to identify endpoints running vulnerable versions of OpenSSL and monitor any changes made.

With this platform, organizations can quickly identify which servers are vulnerable to vulnerabilities and automatically upgrade them to the most recent version of OpenSSL. Furthermore, audits can be conducted to determine which vulnerabilities have been patched and if any other attacks remain active on that same affected server.

All systems affected by these vulnerabilities should apply the latest fixes immediately. Organizations also need to reevaluate their current encryption strategies in order to guarantee they are not vulnerable and can protect their data from this vulnerability. Depending on the circumstances, this might mean changing ciphers from “EXPORT” to “LOW,” or even using another cryptographic library altogether such as NSS, BoringSSL or SChannel.

Fixes

Recently, the OpenSSL project fixes a High Severity data-stealing bug that may have exposed sensitive information on servers using SSL protocol. Fortunately, this fix should not have had an enormous effect on servers as it only affects recently released versions of the library.

The OpenSSL maintainers describe this bug as a type confusion issue that could allow an attacker to view memory contents or launch denial-of-service attacks by passing arbitrary pointers to a memcmp call. They noted that this flaw is most likely only likely to impact applications with their own certificate revocation list checking functionality, however.

PEM_read_bio_ex and some decoders introduced in OpenSSL 3.0 are affected functions that may be called directly or indirectly by other OpenSSL modules such as X509_INFO_read_bio_ex, SSL_CTX_use_serverinfo_file, and asn1parse command line application.

In particular, the PEM_read_bio_ex function is invoked by various functions that perform SMIME, CMS or PKCS7 streaming – making this vulnerability particularly serious. Remote attackers could potentially read sensitive information from memory such as connection credentials, SSL keys and more with this flaw.

Fortunately, the issue is relatively rare as it only impacts recently released OpenSSL 3.0 and 1.1.1 versions. According to David Hutchins – project lead developer – this makes it less likely that hackers will exploit it.

He further noted that the patch is likely to have a smaller impact than the 2014 Heartbleed bug due to more recent versions of OpenSSL not being widely used and making it much harder for attackers to exploit in common scenarios.

CVE-2022-3602, originally classified as critical, has now been downgraded to high severity and only affects OpenSSL 3.0 and later versions released after September 2021. Nonetheless, it’s still recommended to audit your systems and ensure you don’t have any vulnerable instances of OpenSSL installed.

One of the most crucial steps you can take to safeguard yourself against this vulnerability is updating your software stack. This involves running antivirus programs on your server and applying any patches or updates that come out.

You might also consider changing the security settings on your server to make it harder for attackers to exploit vulnerabilities like this one. This is especially important if you have a large network.

One way to achieve this is by installing a Secure Sockets Layer (SSL) certificate on your server. This certificate will contain an exclusive key that cannot be shared by any other server.

Once you possess the key, it can be used to encrypt all communications with your server. If someone attempted to spoof your server, they’d need to intercept each incoming TLS packet and alter it in some way.

SSL/TLS has become the de facto standard for online transactions, and it’s easy to see why. It’s fast, dependable and straightforward to set up on various operating systems. Plus, it provides a cost-effective solution that organizations of all sizes can benefit from.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us