Briefing on OpenSSL vulnerability
Released on October 25, 2022, it is a buffer overflow vulnerability found in the X.509 certification verification (TLS certificate verification code) of the OpenSSL library versions 3.0.6 and lesser. And it can be used to execute RCE (Remote Code Execution) through a malicious TLS certificate, which is signed by a trusted CA (Certificate Authority).
It majorly affects the client (aka the users) - being the certificate verified on the client side.
The servers can also be susceptible to the attack through the TLS Client, that could override the CA signing requirements since the client certificates are typically not required to be signed by a trustworthy CA.
Quick details on the vulnerability by OpenSSL: https://www.openssl.org/news/secadv/20221101.txt
How can an attacker exploit you with the latest OpenSSL vulnerability?
An attacker can redirect the victim to the malicious TLS server which contains malicious certificates generated and verified by them; which in turn triggers the vulnerability.
For your notice: OpenSSL version 3 and SSLv3 are not the same. OpenSSL libraries 3.0.6 and lower versions are affected here.
Am I vulnerable to the OpenSSL vulnerability and how to fix it?
If your system contains OpenSSL versions from 3.0.0 to 3.0.6, you are likely to be more vulnerable.
It is worth noticing if you are handling the following:
Linux operating systems such as Ubuntu 22.04 LTS, MacOS Ventura, Fedora 36, and others
Container images built with vulnerable Linux versions
C/C++ based software (since OpenSSL v3 packages maybe included)
Node.js 18.x and 19.x
Have a glance at the list of software vulnerable to OpenSSL exploit published by The National Cyber Security Centrum of the Netherlands (NCSL-NL).
To find the current OpenSSL version, you may use the following methods:
In system
Run the command:
openssl version
In library files of software (dynamically linked)
In Windows-based software the OpenSSL libraries will be named libcrypto.dll or libssl.dll & in Linux, it will be named libcrypto.so or libssl.so (also, the file name might contain the version number in the end). And you can find its OpenSSL version number using the strings and the RegEx.
Compiled within the software itself
Indeed, it is harder to find the versions in this scenario, but you can use the following commands to find the OpenSSL versions from the executables.
Unix: strings /path_to_executable | grep “^OpenSSL\s*[0-9].[0-9].[0-9]”
Windows: select-string -Path C:\path_to_executable.exe -Pattern “OpenSSL\s*[0-9].[0-9].[0-9]” -AllMatches | % { $_.Matches } | % { $_.Value }
How to fix the new OpenSSL vulnerability
Do an update to the latest version 3.0.7 released on November 1, 2022, if any of the applications or installations (let it be installed or under-development) use or depend on OpenSSL versions 3.0.0 to 3.0.6.
Relax; Together, you are more secure
Indeed, it is a ridiculous task to find-and-fix such rapid-emerging vulnerabilities from the applications and assets owned by you.
But are you alone in securing your assets? Well, the answer is a bigggg NO!
Beagle Security – your human-like intelligent assistant can help you to hunt for all the possible threats in the web application, APIs, and GraphQL endpoints proactively – taking you a step ahead of the hacker and thereby avoiding breaches.
