Cloud Security Security Bloggers Network 
SBN

What You Should Know about the New OpenSSL Vulnerability

by Ari Eitan on October 31, 2022

TL;DR: If you use OpenSSL 3.0 or higher, prepare to upgrade to version 3.0.7 as soon as possible. The fix is available from Tuesday, 1 November 2022, between 1300-1700 UTC.

On Tuesday, the OpenSSL team announced the release of a new version to address a critical vulnerability in versions 3.0.0 and higher. The new version will be available from November 1, 2022. The OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, we should be cautious.

On the basis of the critical level assigned by the OpenSSL team, we can assume that the vulnerability can be easily exploited, and involves data leakage or remote code execution. It is therefore extremely important that organizations act swiftly to determine any use of the affected OpenSSL version and if they are exposed to the vulnerability.

Impact of the Vulnerability

According to the announcement, the vulnerability affects only newer versions of OpenSSL V3.0 and higher. It is hard to predict the potential damage and risk of this vulnerability to the organization. What we do know is that, despite being the most recent version of OpenSSL, which was released one year ago, OpenSSL V3.0 is far less ubiquitous than OpenSSL V1.0.

We can split the impact into different categories: OS distributions, containers, web applications and any other application that uses an embedded OpenSSL library.

OpenSSL V3.0 has been incorporated into Linux operating systems such as Ubuntu 22.04 LTS, MacOS Ventura, Fedora 36, and others. It should be noted, however, that most of these Linux distributions only include OpenSSL 3.0 and above in their most recent releases of the OS applications. These versions are considered testing versions so may not be widely used in production systems. If you develop proprietary software in your organization, you should also check if your code uses the vulnerable OpenSSL version.

In addition, many Docker Official images still use OpenSSL V1.x and are not affected. The Docker Official container images for popular projects like Redis and httpd are unaffected. On the other hand, NodeJS’s latest version is vulnerable.

In terms of web applications, the adoption of OpenSSL V3.0 is very slow. Running a query in Shodan, we found approximately 14,000 devices running OpenSSL V3.0.0 as opposed to 770,000 running OpenSSL V1.1.1. According to this survey, OpenSSL V3.0 is adopted by less than 0.2% of websites worldwide, in comparison to more than 75% of V1.

We see that the adoption of OpenSSL V3.0 and above is still very low. Nonetheless, you should still check if you have entities with the vulnerable version in your organization.

Vulnerable OS Versions

Based on our research, we’ve compiled a list of the most popular OS distributions and versions that contain the vulnerable OpenSSL version.

How To Detect If You Are Vulnerable

As shown above, OpenSSL can be used in multiple places in your organization. We’ve created a list of 5 methods to detect which OpenSSL version you are using and determine if you are exposed to the vulnerability:

1. OpenSSL Version Command

The command allows you to determine the version your system is currently using. Based on that you can tell if the version is 3.0.*.

ubuntu@ubuntu:~$ openssl version
OpenSSL 1.1.1n  15 Mar 2022

2. Linux Package Managers

Amazon Linux:

repoquery --all --pkgnarrow=installed --qf="%{NAME} %{VERSION} %{RELEASE}" | grep openssl

OR

rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n" | grep openssl

Debian & Ubuntu:

dpkg-query -W -f="\${Package},\${Version}\n" | grep openssl

RHEL, Fedora, Oracle, CentOS:

rpm -qa --queryformat "%{NAME} %{VERSION} %{RELEASE}\n"` | grep openssl

3. Docker Image Vulnerability Database

The Docker Image Vulnerability Database can help you find vulnerable Docker images. For now, the placeholder is dubbed “DSA-2022-0001.”

4. Vulnerability Scanning For Docker Local Images

apt-get update && apt-get install docker-scan-plugin

The docker scan command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:

docker scan hello-world

5. Trivy

sudo trivy image --format spdx oraclelinux:9 | grep -i -C 4 openssl

How Ermetic Can Help

We can help you detect assets that have a vulnerable OpenSSL version and remediate the vulnerability, to avoid crises and get the best visibility for your organization.

If you need help understanding your OpenSSL status or how it affects your security profile, send us an email and we can help.

The post What You Should Know about the New OpenSSL Vulnerability appeared first on Ermetic.

*** This is a Security Bloggers Network syndicated blog from Ermetic authored by Ari Eitan. Read the original post at: https://ermetic.com/blog/cloud/what-you-should-know-about-the-new-openssl-vulnerability/

Ari Eitan