Update November 1st 2022 17:37
The severity of this Spooky SSL vulnerability is downgraded to High. This vulnerability allows an attacker to craft a malicious certificate causing a client, server, or application to crash (resulting in a DoS) or potentially remote code execution. There are no signs of active abuse so far. The solution is to upgrade to OpenSSL 3.0.7 or isolate the system/application.
Update November 1st 2022 14:45
SecurityHive’s Vulnerability Management is able to scan this as a vulnerability since yesterday evening. Make sure you start an authenticated scan.
What is OpenSSL?
OpenSSL is an open-source software library used for SSL and TLS connections (for example, an HTTPS or RDP connection). Almost every software uses OpenSSL for its SSL/TLS connections.
Not using SecurityHive yet? This article still has a lot of important and interesting information regarding to this vulnerability for you! Do you want to scan your systems immediately? Start a free trial.
While OpenSSL is a widely used & battle-tested solution and undergoes a lot of penetration tests, sometimes a new vulnerability is discovered.
The OpenSSL project team announced the release of OpenSSL version 3.0.7, which will become available on Tuesday, the 1st of November 2022, between 13:00 – 17:00 UTC. This version is a security-fix release with a CRITICAL severity.
Why is it so important?
OpenSSL is used for encrypting your connections. A vulnerability in OpenSSL may have one or more of the following outcomes:
- Your connection can be decrypted, get intercepted, or modified, which results in an attacker being able to read the data (including passwords, cookies, sessions, and form data) flowing over this connection. This is both a security and privacy incident.
- An attacker is able to execute a DoS attack on your system, resulting in your system becoming unreachable or offline.
- Parts of your system and/or memory becomes accessible to an attacker.
At this moment, we’re not sure what will be the outcome of this vulnerability, as the details are not specified yet. OpenSSL only announced it so everyone can schedule some patch time in their calendars and get ready. We’ll update this article once more information is available.
Am I affected?
The vulnerability exists in all OpenSSL 3.0.x versions and is fixed in OpenSSL 3.0.7. Check if your system has an OpenSSL 3.0.x version installed.
It’s easy to check using a vulnerability scan (authenticated scan preferred).
Asset Management will show you the list of applications installed on systems and therefore show you which assets are vulnerable.
If you don’t use Vulnerability Management of SecurityHive already, you can easily start a trial or run openssl version or sudo lsof -n | grep libssl.so.3 (Linux command) on all of your systems manually.
We know these Operating Systems and Software use OpenSSL 3.0.x. If your OS or Software is not listed in this list, it doesn’t mean it’s not vulnerable. We only know for sure this list has OpenSSL 3.0.x installed by default.:
- Cisco WSA Ironport
- Symantec VIP Gateway
- Red Hat Enterprise Linux (RHEL) 9
- CentOS Stream 9
- Ubuntu 22.04
- Ubuntu 22.10
- Fedora Rawhide
- Fedora 36
- Kali 2022.3
- Linux Mint 21 Vanessa
- Rocky Linux 9.0 (Blue Onyx)
- NodeJS >= 18.0.0
- MariaDB 10.9
- Oracle Lniux 9
- Tomcat 10.1
- Various Cisco solutions (see: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a)
What should I do?
At this moment, there is no fix available. Schedule some time in your calendar to get ready to patch once the update becomes available. Once the details become available:
- Patch your systems immediately by installing the update.
- If no patch is available for your specific system or software, mitigate the vulnerability by isolating your system.
I’m not sure yet how to proceed or still have questions
Don’t worry, you can chat with us by clicking the orange rounded button (on our website and Portal) or just give us a call. We’re here to help.