Updated: October 31, 2022
On Thursday, October 27th, 2022, developers of the OpenSSL cryptography library had taken the unusual step of pre-warning that a critical update is due to be announced on Tuesday, November 1, which will address a critical vulnerability. The OpenSSL library is exactly what it sounds like – an open-source implementation of the SSL and TLS cryptographic protocols, which make secure communications possible. Think of the lock icon to the left of your web address in your browser. Not much is yet known about the upcoming critical fix (OpenSSL 3.0.7), other than it is restricted to OpenSSL version 3.0, the latest release line of the library. OpenSSL states it does not affect previous versions. While no details of the upcoming patch, or the critical flaw it tackles, have been released, there is some speculation it centers around a possible DDoS vulnerability. OpenSSL 3.0.x was released in 2021, a factor that hopefully, will limit the extent of the problems Tuesday’s upcoming announcement will reveal.
Listen to Armis’s security experts discuss and explain the latest OpenSSL vulnerability and what it means to you and your firm.
Since OpenSSL 3.0 was released in 2021, and previous versions, specifically 1.1.1, are not affected, hopes are the scope is something less then, well, everything. Much like the Log4j vulnerability disclosed in December, 2021, OpenSSL is included in many operating systems (Windows, macOS, various Linux distributions, etc.); client-side software applications; web and email server software (Apache, nginx, etc.); network appliances (Cisco, Fortinet, Juniper, etc.), industrial control systems, and more. Here is a short list of just Linux distributions that use OpenSSL, and thus, WILL BE affected by this disclosure.
It is also important to note that, when it comes to issue severity, OpenSSL does not use the term CRITICAL lightly. OpenSSL defines a critical vulnerability as such:
“CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.”
Armis automatically identifies assets that are using OpenSSL, and has utilized its vast knowledgebase to evaluate the initial extent of the critical flaw.
Armis has seen across its knowledgebase over 3 billion assets overall. Out of all assets seen using the OpenSSL library, less than 1% were discovered to be using the potentially vulnerable versions of OpenSSL (v3.0), as you can see in the chart below.
This significantly small number is probably due to the relatively recent release of OpenSSL 3.0 and its relatively slow adoption rate.
With that said, the vast majority of Armis customers have at least one asset impacted.
From our initial inspections, assets that are seen using OpenSSL are mostly Servers, Laptops, Desktops and Routers.
Although the initial evaluation of the impact appears limited, until the complete details of the disclosure are known, Armis can only speculate how far reaching this will be, and recommends in situations like this, to reserve caution and prepare for the worst.
OpenSSL does provide for a command line utility and a quick query will return the results of your SSL library running on any device:
% openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
The results above depict a system with an SSL 3.x library in need of the patch that will be released Tuesday, November 1st.
In addition to this check, you may need to search for non-standard installations, as it is possible for systems to also be running application software or appliances that include OpenSSL.
Keep an eye out for communications from all your software suppliers, particularly those that supply Internet-facing software or hardware.
In order to search for potentially vulnerable versions of OpenSSL in an approachable and comprehensive way, Armis users can use the Armis console. Armis automatically detects all potentially vulnerable versions, thus allowing for teams to prepare for the upcoming release.
To search for assets with potentially vulnerable OpenSSL versions (v3.0.0-v3.0.5), use the following ASQ query:
While taking the requisite time to identify and remediate the upcoming OpenSSL 3.x vulnerabilities, know that there have been other critical OpenSSL vulnerabilities identified that should be patched along the way: CVE-2016-6309, and the biggest OpenSSL issue of all – Heartbleed, disclosed in 2014 (Heartbleed predates OpenSSL’s severity criteria). Heartbleed allowed remote attackers to expose sensitive data and continued to wreak havoc years after the event. It exposed the Internet’s dependence on small and unfashionable projects run by volunteers, and spawned forks like LibreSSL and BoringSSL that attempted to clean up OpenSSL’s complex codebase.
Note also that earlier this year, Armis researchers disclosed a set of vulnerabilities related to improper implementation of another TLS library named NanoSSL. The vulnerabilities found (collectively dubbed TLStorm) could have allowed a remote attacker to take complete control of affected devices over the network with no user interaction.
As additional important information comes to light as we approach November 1st’s release, and thereafter, we will update this post with the most relevant information including how to use Armis to search for and identify all IT, OT, and IoT devices in your environment that are vulnerable to this security flaw. Armis is here to help!
Sign up to receive the latest news