The OpenSSL library is now available in the announced, updated version. The developers have initially closed security gaps classified as critical, which should occur in normal configurations and could easily be misused by attackers. IT managers with vulnerable systems should download and install the latest software as soon as possible.
OpenSSL 3.0.7 closes the security gap that existed in versions 3.0.0 to 3.0.6. Versions prior to OpenSSL 3.0.0, which was released in September 2021, are not affected by the vulnerability. Administrators of the current version 1.1.1 or 1.0.2 of the OpenSSL library therefore do not have to become active.
Two vulnerabilities in the X.509 parser
According to the advisory, there are two buffer overflow vulnerabilities in the parser for X509 certificates, each of which can be triggered by special email addresses in certificates (CVE-2022-3602, CVE-2022-3786). To attack a server, it must previously request certificate-based client authentication, which is not common with HTTPS. In order to trigger the error in a client, it must first connect to a malicious server.
In both cases, the dangerous buffer overflow occurs only after the trustworthiness of the certificate has been checked. This means that a malicious certificate would either have to be signed by a certification authority or the client would also have to further examine certificates that were already recognized as invalid. Which client software handles this in this way will probably only be shown by the advisories of the respective manufacturers (or corresponding analyzes by third parties).
Overall, the gaps turn out to be not as critical as was initially assumed. Large-scale waves of attacks like Heartbleed are not to be expected with these weak points, because several factors have to come together in each case. The OpenSSL developers probably think so too and have lowered the rating from “critical” to “high” in the official OpenSSL Advisory .
Greeting for the Maker Faire Hannover 2022 by the regional president Steffen Krach
The updated source codes are available for download from the OpenSSL project website . In addition, the debugged sources can be cloned from the OpenSSL GitHub repository . The Linux distributions should also offer updated packages very promptly due to the advance notice. Administrators may need to use the distribution’s own software manager to find, download, and install them.
The Dutch National Cyber Security Center (NCSC-NL) maintains a detailed list of vulnerable and non -vulnerable distributions on GitHub, which IT managers can use as a guide for the time being.
openssl versionHowever, only the concrete output of the command in the terminal provides certainty about the active OpenSSL version .
Around eight years ago, the vulnerability known as Heartbleed caused a tremor on the Internet: The OpenSSL library is practically omnipresent and has made many systems vulnerable. It was about the meltdown for encryption on the web – attackers were able to read out the encryption key and thus decrypt communication that was actually protected.
Since Heartbleed came as a surprise to many, the OpenSSL project decided to announce critical vulnerabilities about a week in advance . In this way, those potentially affected can prepare to quickly download and install the updates when they are available. At least that’s what the IT security experts at the Internet Storm Center explain in their advance notice.
This article has been published on the website : heise.de