Friday, December 6, 2024

What You Should Know about the New OpenSSL Vulnerability

TL;DR: If you use OpenSSL 3.0 or higher, prepare to upgrade to version 3.0.7 as soon as possible. The fix is available from Tuesday, 1 November 2022, between 1300-1700 UTC.

On Tuesday, the OpenSSL team announced the release of a new version to address a critical vulnerability in versions 3.0.0 and higher. The new version will be available from November 1, 2022. The OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, we should be cautious.

On the basis of the critical level assigned by the OpenSSL team, we can assume that the vulnerability can be easily exploited, and involves data leakage or remote code execution. It is therefore extremely important that organizations act swiftly to determine any use of the affected OpenSSL version and if they are exposed to the vulnerability.

Impact of the Vulnerability

According to the announcement, the vulnerability affects only newer versions of OpenSSL V3.0 and higher. It is hard to predict the potential damage and risk of this vulnerability to the organization. What we do know is that, despite being the most recent version of OpenSSL, which was released one year ago, OpenSSL V3.0 is far less ubiquitous than OpenSSL V1.0.

We can split the impact into different categories: OS distributions, containers, web applications and any other application that uses an embedded OpenSSL library.

Recommended:  Siemens S7 Layer 2 - Denial of Service (DoS)

OpenSSL V3.0 has been incorporated into Linux operating systems such as Ubuntu 22.04 LTS, MacOS Ventura, Fedora 36, and others. It should be noted, however, that most of these Linux distributions only include OpenSSL 3.0 and above in their most recent releases of the OS applications. These versions are considered testing versions so may not be widely used in production systems. If you develop proprietary software in your organization, you should also check if your code uses the vulnerable OpenSSL version.

In addition, many Docker Official images still use OpenSSL V1.x and are not affected. The Docker Official container images for popular projects like Redis and httpd are unaffected. On the other hand, NodeJS’s latest version is vulnerable.

In terms of web applications, the adoption of OpenSSL V3.0 is very slow. Running a query in Shodan, we found approximately 14,000 devices running OpenSSL V3.0.0 as opposed to 770,000 running OpenSSL V1.1.1. According to this survey, OpenSSL V3.0 is adopted by less than 0.2% of websites worldwide, in comparison to more than 75% of V1.

We see that the adoption of OpenSSL V3.0 and above is still very low. Nonetheless, you should still check if you have entities with the vulnerable version in your organization.

Vulnerable OS Versions

Based on our research, we’ve compiled a list of the most popular OS distributions and versions that contain the vulnerable OpenSSL version.

OS DistributionOpenSSL Version
Fedora 363.0.5
Fedora Rawhide3.0.5
Ubuntu 22.043.0.2
Oracle linux 9.03.0.1
Kali 2022.33.0.5/3.0.4
Redhat ES 93.0.0
Redhat Enterprise Linux RHEL-9.03.0.1
OpenBSD 7.23.0.5
OpenBSD 7.13.0.2
Linux Mint 21 Vanessa3.0.2
Maegia Cauldron3.0.5
OpenMandriva3.0.6
Rocky Linux release 9.0 (Blue Onyx)3.0.1
Debian unstable sid/sting bookworm3.0.5
Linux lite 6.0 fluorite3.0.2u
Almalinux OS 9.03.0.1e
CentOS Stream 93.0.1
Nix unstable3.0.5
Gentoo linux unstable3.0.5
Kubuntu 22.10 kinetic/22.04 jammy3.0.5/3.0.2
Lubuntu 22.10 kinetic/22.04 jammy3.0.5/3.0.2
xubuntu 22.10 kinetic/22.04 jammy3.0.5/3.0.2
Ubuntu MATE kinetic/22.04 jammy3.0.5/3.0.2
Ubuntu Budgie 22.10 kinetic/22.04 jammy3.0.5/3.0.2
Ubuntu Studio 22.10 kinetic/22.04 jammy3.0.5/3.0.2
Ubuntu Unity 22.10 kinetic3.0.5
Ubuntu Kylin 22.04 jammy3.0.2

view rawVulnerableDistros|OpenSSL.csv hosted with love by GitHub

Recommended:  Log4J: The Vulnerability That Destroyed The Internet

How To Detect If You Are Vulnerable

As shown above, OpenSSL can be used in multiple places in your organization. We’ve created a list of 5 methods to detect which OpenSSL version you are using and determine if you are exposed to the vulnerability:

1. OpenSSL Version Command

The command allows you to determine the version your system is currently using. Based on that you can tell if the version is 3.0.*.

ubuntu@ubuntu:~$ openssl version
OpenSSL 1.1.1n  15 Mar 2022

2. Linux Package Managers

Amazon Linux:

repoquery --all --pkgnarrow=installed --qf="%{NAME} %{VERSION} %{RELEASE}" | grep openssl

OR

rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n" | grep openssl

Debian & Ubuntu:

dpkg-query -W -f="\${Package},\${Version}\n" | grep openssl

RHEL, Fedora, Oracle, CentOS:

rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n"` | grep openssl

3. Docker Image Vulnerability Database

The Docker Image Vulnerability Database can help you find vulnerable Docker images. For now, the placeholder is dubbed “DSA-2022-0001.”

4. Vulnerability Scanning For Docker Local Images

apt-get update && apt-get install docker-scan-plugin

The docker scan command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:

docker scan hello-world

5. Trivy

sudo trivy image --format spdx oraclelinux:9 | grep -i -C 4 openssl

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Recommended:  PAN-OS 10.0 RCE (Remote Code Execution) Vulnerability
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

RiSec.Mitch
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates

explore

more

security