OpenSSL critical vulnerability will soon be patched with an update

The OpenSSL project team announced the release of a security fix

OpenSSL critical vulnerability will soon be patched with an updateA security flaw that may put OpenSSL users in danger

The OpenSSL library is an open-source implementation of the SSL and TLS cryptographic protocols, which make secure communication across networks possible. It allows using secure Transport Layer Security (TLS)[1] on Linux, Unix, Windows, and many other operating systems. It is also used to secure almost every communication, networking application, and device.

A Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)'s VP of Security, Mark J. Cox, said on Twitter this week:

OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.

On November 1, 2022, OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library will be released. The OpenSSL team is known to preannounce security fixes via its site and its mailing list. It also notifies organizations that produce a general-purpose OS, maintainers of popular open-source projects that are derived from OpenSSL, and organizations with which the project has a commercial relationship directly in advance.

The potential risks of a critical security hole

According to OpenSSL, an issue of critical severity is likely to be exploited.[2] The vulnerability might be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely.

No details have been shared about the vulnerability with the public. According to Mark J. Cox, attackers are unlikely to exploit the vulnerability before the fixed version is released:

Given the number of changes in 3.0 and the lack of any other context information, [attackers successfully scouring the commit history between 3.0 and the current version] is very highly unlikely

However, Johannes Ullrich, dean of research at the SANS Institute, thinks differently:

It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn't use the label 'critical' lightly

It appears that only OpenSSL versions between 3.0 and 3.0.6 are affected. Organizations should identify if they are using a vulnerable version anywhere in their technology portfolio, which applications are using it, and how long it would take for them to take care of the issue. Additional measures should be taken on systems that might be affected if an exploit emerges before the new security patch is released.

The biggest OpenSSL programming mistake to date

The so-called Heartbleed bug (CVE-2014-0160)[3] in the OpenSSL cryptographic library is thought of as the worst open-source software vulnerability as of yet. It affected hundreds of millions of websites and many users.[4] A programming mistake enabled attackers to pull down 64k chunks of server memory. This allowed hackers to reach social security numbers, credit card numbers, and names.

The flaw discovered in 2014 might have been used to reveal the contents of secured messages, such as credit card transactions over HTTPS, and the primary and secondary SSL keys themselves. In theory, this made it possible to bypass secure servers without leaving a trace that a site had been hacked.

The bug existed in OpenSSL versions from 2012 and affected a wide range of technologies, including popular web servers, like Apache, Nginx, and IIS, companies such as Google, Facebook, Akamai, and CloudFlare, email and chat servers, network appliances from companies such as Cisco; and VPNs.

The Heartbleed bug is credited to have started the mass movement toward security vulnerability awareness in the general public. It also set the trend for naming security vulnerabilities.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions