icetray - Fotolia
OpenSSL vulnerabilities get high-priority patches
The OpenSSL Project released version 3.0.7 Tuesday to address a pair of high-severity buffer overflow vulnerabilities in the widely used cryptography library.
Users and administrators are being advised to update OpenSSL following the disclosure of a pair of high-severity bugs in the cryptography tool.
The OpenSSL 3.0.7 patch addresses both CVE-2022-3602 and CVE-2022-3786, a pair of buffer overflow vulnerabilities that could potentially lead to crashes. OpenSSL is a widely used cryptography library that offers open source implementations of both TLS and SSL protocols.
OpenSSL versions 3.0.0 to 3.0.6 have been confirmed to be vulnerable, though versions prior to 3.0.0 do not contain the vulnerable code.
The CVE-2022-3602 vulnerability in particular has been closely watched by the infosec community. Originally classified as a critical security risk in an OpenSSL Project announcement last week, the bug was downgraded to a high security risk just before the update was released.
"Our security policy states that a vulnerability might be described as CRITICAL if 'remote code execution is considered likely in common situations,'" the OpenSSL Project said. "We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1st November 2022 before being released to HIGH."
The OpenSSL Project explained that while the vulnerabilities describe buffer overflows, a common avenue for remote code execution, the open source organization believed that the vulnerable buffers could not reliably be targeted remotely. OpenSSL admitted, however, that due to the nature of open source software and Linux distributions, remote code execution in all cases couldn't be entirely ruled out.
"[As] OpenSSL is distributed as source code we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms," the developer wrote.
According to Cisco Talos, the OpenSSL vulnerabilities can potentially be triggered by sending an email with a specially crafted X.509 certificate in either client or server Linux builds.
"X.509 is the standard defining the format of public key certificates, commonly used in protocols including TLS as well as digital signatures," the vendor explained. "Importantly, these vulnerabilities can affect both the client and server in contrast to most vulnerabilities that typically impact one or the other, broadening the potential attack surface."
There could, however, be at least one saving grace for users and administrators. Cisco Talos noted that because the vulnerable 3.0 builds were a relatively recent release, having landed in September, many systems are likely to still be running one of the older versions that do not contain the vulnerable code.
Regardless, all users and administrators are being advised to install the patched 3.0.7 build.