Getty Images

HC3 Urges Healthcare to Patch OpenSSL Cybersecurity Vulnerability

OpenSSL will receive an update on November 1 to resolve a cybersecurity vulnerability, and organizations should prioritize patching immediately upon release.

UPDATE 11/1/2022 - OpenSSL provided vulnerability guidance for CVE-2022-3786 and CVE-2022-3602. CVE-2022-3602 is no longer labeled as "critical" and was downgraded to "high" after further research. 

"We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible," Open SSL advised. Users of OpenSSL 3.0.0-3.0.6 should upgrade to 3.0.7 as soon as possible. 

OpenSSL said it was not aware of any working exploit that could lead to remote code execution (RCE), and there has been no evidence of any exploitation at this time. 

10/31/2022: 

Healthcare organizations should prioritize patching a OpenSSL cybersecurity vulnerability as soon as updates are released on November 1, the Health Sector Cybersecurity Coordination Center (HC3) said in a sector alert.

“OpenSSL is an open-source cryptographic library used with many of the most common operating systems and applications to implement Transport Layer Security and its predecessor protocol, Secure Sockets Layer for security in communicating with web and other Internet-facing servers,” the alert explained.

The nature of the vulnerability is not yet known, but HC3 noted that “it is very rare for the OpenSSL Project to classify a vulnerability as critical.”

According to its website, OpenSSL classifies issues as “critical” if they impact common configurations that are likely to be exploitable.

“Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations,” the website states.

OpenSSL Project is keeping the technical details to themselves at the moment to lower the risk of exploitation before the patch is released. It is known that the vulnerability is limited to OpenSSL versions 3.0.0 through 3.0.6.

“Due to the fact that this vulnerability is applicable across the public and private health sectors and the apparent egregious nature of the vulnerability, exploitation, even on a very large scale, is very possible immediately after patch release on November 1,” HC3 noted.

“Threat actors, both state sponsored and cybercriminals, often reverse engineer a patch upon release to understand the technical details of the vulnerability and in order to develop an exploit. HC3 highly recommends that all health sector organizations treat this vulnerability with the highest priority.”

Next Steps

Dig Deeper on Cybersecurity strategies