Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)

By
Deepraj R
Published on
02 Nov 2022
3 min read
openssl

Briefing on OpenSSL vulnerability

Released on October 25, 2022, it is a buffer overflow vulnerability found in the X.509 certification verification (TLS certificate verification code) of the OpenSSL library versions 3.0.6 and lesser. And it can be used to execute RCE (Remote Code Execution) through a malicious TLS certificate, which is signed by a trusted CA (Certificate Authority).

It majorly affects the client (aka the users) - being the certificate verified on the client side.

The servers can also be susceptible to the attack through the TLS Client, that could override the CA signing requirements since the client certificates are typically not required to be signed by a trustworthy CA.

Quick details on the vulnerability by OpenSSL: https://www.openssl.org/news/secadv/20221101.txt

How can an attacker exploit you with the latest OpenSSL vulnerability?

An attacker can redirect the victim to the malicious TLS server which contains malicious certificates generated and verified by them; which in turn triggers the vulnerability.

For your notice: OpenSSL version 3 and SSLv3 are not the same. OpenSSL libraries 3.0.6 and lower versions are affected here.

Am I vulnerable to the OpenSSL vulnerability and how to fix it?

If your system contains OpenSSL versions from 3.0.0 to 3.0.6, you are likely to be more vulnerable.

It is worth noticing if you are handling the following:

  • Linux operating systems such as Ubuntu 22.04 LTS, MacOS Ventura, Fedora 36, and others

  • Container images built with vulnerable Linux versions

  • C/C++ based software (since OpenSSL v3 packages maybe included)

  • Node.js 18.x and 19.x

Have a glance at the list of software vulnerable to OpenSSL exploit published by The National Cyber Security Centrum of the Netherlands (NCSL-NL).

To find the current OpenSSL version, you may use the following methods:

In system

Run the command:

openssl version

In library files of software (dynamically linked)

In Windows-based software the OpenSSL libraries will be named libcrypto.dll or libssl.dll & in Linux, it will be named libcrypto.so or libssl.so (also, the file name might contain the version number in the end). And you can find its OpenSSL version number using the strings and the RegEx.

Compiled within the software itself

Indeed, it is harder to find the versions in this scenario, but you can use the following commands to find the OpenSSL versions from the executables.

Unix: strings /path_to_executable | grep “^OpenSSL\s*[0-9].[0-9].[0-9]”

Windows: select-string -Path C:\path_to_executable.exe -Pattern “OpenSSL\s*[0-9].[0-9].[0-9]” -AllMatches | % { $_.Matches } | % { $_.Value }

How to fix the new OpenSSL vulnerability

Do an update to the latest version 3.0.7 released on November 1, 2022, if any of the applications or installations (let it be installed or under-development) use or depend on OpenSSL versions 3.0.0 to 3.0.6.

Relax; Together, you are more secure

Indeed, it is a ridiculous task to find-and-fix such rapid-emerging vulnerabilities from the applications and assets owned by you.

But are you alone in securing your assets? Well, the answer is a bigggg NO!

Beagle Security – your human-like intelligent assistant can help you to hunt for all the possible threats in the web application, APIs, and GraphQL endpoints proactively – taking you a step ahead of the hacker and thereby avoiding breaches.

Written by
Deepraj R
Deepraj R
Content Specialist
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 14 days