Relief has flooded the users of the OpenSSL library as the sustainers of the project released patches to tackle a high-severity bug with the potential to trigger Remote Code Execution (RCE) under certain circumstances.
OpenSSL 3.0.5 version was released on 5 July 2022 to address a grave memory corruption vulnerability that risked x64 systems with Intel’s Advanced Vector Extensions 512 (AVX512). This was introduced first with the launch of OpenSSL 3.0.4, which was manufactured to combat a command injection vulnerability (CVE-2022-2068) in the cryptographic library.
What is OpenSSL?
First released in 1998, OpenSSL is a wide-ranging cryptography library, offering open-source applications of the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocol. It allows sanctioned users to carry out SSL allied functions, and is available for Linux, macOS, Windows and BSD (Berkeley Software Distribution) Operating Systems.
The library features:
- Tools for creating RSA private keys
- Managing certificates
- Executing encryption/decryption
Over 66% of all web servers utilize OpenSSL as it is a toolkit licensed under Apache, which makes it free to use for commercial and non-commercial purposes.
OpenSSL 3.0.4 and 3.0.5
On 22 June 2022, Xi Ruoyao reported a high severity issue in the OpenSSL which came to surface with the 3.0.4 version that he created to fix a preceding issue in the toolkit.
The release led to the discovery of CVE-2022-2274, a heap memory corruption in the RSA implementation for X86_64 CPUs supporting the AVX512 IFMA instructions. The bug promotes memory corruption during the computation by misdirecting the RSA implementation with 2048 bit private keys. The memory corruption deftly clears the way for attackers, who are enabled to trigger a Remote Code Execution on the computing device.
Heap Memory Corruption – This occurs when the allocator’s view of heap is damaged by the program. The end result may be a benign level memory leak or it might turn fatal, causing a memory fault within the allocator itself.
Guido Vranken, a security researcher, claimed that two devices using OpenSSL to establish a secure connection with each other may fall victim to exploitation by execution of an arbitrary malicious code. He also added that the remote exploitation of the vulnerability may result in more alarming circumstances than the ‘Heartbleed’ incident.
The ‘Heartbleed’ Chronicles
A memory leak vulnerability, Heartbleed was discovered by Google Security’s Neel Mehta and announced by Cloud Flare. The OpenSSL loophole could allow the theft of protected information by the SSL/TLS encryption which is used to safeguard the Internet.
The exploitation of this bug could allow any person on the Internet to read the memories of the systems protected by the vulnerable OpenSSL software due to which, the secret keys used for the identification of service providers and encryption of the traffic, as well as, user passwords and names could be compromised. The attackers could eavesdrop on communications, impersonate, and directly steal sensitive information from the services and users.
OpenSSL 3.0.5, released on 5 July 2022, is a fix for CVE-2022-2274 for the affected SSL/TLS servers using 2048 bit RSA private keys.
The Security Advisory
After the detection of CVE-2022-2274 vulnerability, OpenSSL swiftly released a security advisory.
- The servers affected by this flaw are the servers which use 2048 bit RSA private keys running on devices supporting AVX512IFMA instructions of the X86_64 framework.
- OpenSSL testing is estimated to fail on a vulnerable device, so it should be observed before deployment.
- The OpenSSL 3.0.4 users should upgrade to the newly manufactured OpenSSL 3.0.5 version.
The users of OpenSSL 1.1.1 and 1.0.2 should not be concerned since these versions are not affected by this vulnerability.
Can Security Testing Help?
In the face of security threats which cannot be detected during a security testing after deployment like CVE-2022-2274, it is always better to take precautions beforehand.
Making a newly designed application undergo regular VAPT can assist organizations with detecting vulnerabilities present in them before an attacker can exploit these loopholes to cause data breaches. It can also safeguard them in situations where security after distribution is not an option.
Kratikal Tech Pvt. Ltd. is a security solutions consultancy firm providing a complete suite of Vulnerability Assessment and Penetration Testing (VAPT) services, like Mobile/Web Application Penetration Testing, Cloud Penetration Testing, Network Penetration Testing, along with the others. These services regularly test concerned applications/devices to remove the threat of security risks, which keeps an organization’s IT infrastructure secure.
Organizations can also utilize Kratikal’s security auditing services for Compliance, such as SOC2, ISO/IEC 27001, GDPR, PCI DSS, etc. to stay true to regulations and laws in the cybersecurity domain.
Don’t you think remote vulnerabilities have spread to too many devices and networks? Share your thoughts in the comments below.