OpenSSL 3.0.7 Patch – Spooky TLS: The Patch That Gave Everyone a Halloween Scare
A warning was issued on Tuesday, October 25 directly from OpenSSL: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
OpenSSL 3.0.7 is a security-fix release.
The highest severity issue fixed in this release is CRITICAL
Most teams got a hold of the warning before the end of the business week and started to begin the patch management process ahead of the disclosure, which happens today (November 1). The last critical vulnerability from OpenSSL was Heartbleed (CVE-2014-0160), eight years ago.
At first glance of the release notes, it appears that this may have been overblown. It would require a vulnerable TLS client to connect to a malicious server which is more of a phishing-based attack versus remote RCE. Additionally, it requires either a CA to have signed the malicious certificate or for the application to continue certification verification despite failure to construct a path to a trusted issuer.
Potentially, in a TLS client, it could be triggered by connecting to a malicious server, if the server requests client authentication and a malicious client connects.
Additionally, it was downgraded from CRITICAL to HIGH primarily due to non-exploitability (under most circumstances) for RCE.
OpenSSL 3 is not the same as SSLv3 and this vulnerability exists only in OpenSSL Version 3 and not SSLv3.
The vulnerability affects only OpenSSL version 3.0.0 to 3.0.6, with the patch being shipped in version 3.0.7. Given the very recent release date of OpenSSL 3.0.0, older appliances with hardcoded OpenSSL versions are unlikely to be vulnerable.
NCSC-NL has a helpful list of confirmed affected/unaffected software here: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software
How To Detect with Tromzo
Tromzo can help with identifying all vulnerable software assets and help with the remediation of this issue.
While we have faith that your teams have already done the patch management last week, this weekend and early this week. If you need help, we are here for you. Please feel free to contact us at [email protected] and we will help you through this vulnerability.
On a recent episode of the Future of Application Security podcast, Curtis Koenig, Head of Application Security at Gen, talked about how he's able to understand security...Read more
On a recent episode of the Future of Application Security podcast, Arthur Loris, Senior Manager, Product Security at Ping Identity, talked about how the biggest challenge to...Read more