OpenSSL Deems Vulnerability ‘Critical’, Will Publish Patch Tuesday
Does an OpenSSL vulnerability with a ‘critical’ CVE rating rival Heartbleed? That’s what some security experts are saying as they await a fix expected on Tuesday.
The OpenSSL project team confirmed that an OpenSSL 3.0.7 update, “a security-fix release,” will be available November 1. And while no real details on the flaw were released, security researchers warned organizations to act quickly. “It’s really important that you patch OpenSSL 3.x when the new version comes out on Thursday.
Twitter was buzzing about the implications and how organizations and vendors would handle the vulnerability going forward.
“It’s not enough for OpenSSL to issue a patch and for admins to simply run apt-get upgrade,” said John Bambenek, principal threat hunter at Netenrich. “An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates and organizations will need to apply them.”
And the disclosure alone might not take care of the threat. “The biggest concern I have with disclosures such as this is that end-of-life products will not issue updates,” said Bambenek. “One of the largest risks in technology as a whole is that products being shipped will be used long after the vendor stops supporting them, leaving the end user to fend for themself on a product they can’t fix.”
By giving security practitioners a heads-up, OpenSSL could open the door to threat actors as well. “The concern I have in situations like this, or with any other critical component, is that exploit developers will turn their attention toward the vulnerable software hoping to find and exploit the vulnerability before the new release comes out,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “Here, threat actors don’t have a lot of time to act, which minimizes the risk of disclosing that an unspecified vulnerability exists.”
OpenSSL’s Mark J. Cox, who said this is only the second time that a vulnerability in OpenSSL was deemed ‘critical,” defended the decision to give researchers advance notice before the patch was released. “That’s our policy—to provide folks with a date so they know to be ready to parse an advisory and see if the issue affects them,” he tweeted. “Given the number of changes in 3.0 and the lack of any other contextual information, malicious activity such as scouring is very highly unlikely.”
Organizations should take a methodical approach to protecting themselves. “The first step to address this vulnerability is identifying assets with OpenSSL3—this is where a vulnerability scanner updated with the latest critical vulnerabilities is fundamentally important,” said Parkin. “You should be able to gain visibility into vulnerable software clusters until the patch is ready [November 1] in order to take necessary precautions against a potential exploit. Once the patch is available, organizations should start receiving notification actions and update their software accordingly.”
