Critical OpenSSL Security Vulnerability

Atlantic.Net is providing this security advisory as a news item. We want to reassure our customers that Atlantic.Net is not affected internally or in our service offerings by the exploited products.

On the 1st of November 2022, a Common Vulnerabilities and Exposures (CVE) statement was released about an exploit found in the widely used OpenSSL protocol. OpenSSL is an essential piece of software used by millions of people around the world. Despite its widespread use, many users don’t even realize their server is using it.

OpenSSL is a library that supports secure communications between applications and servers. It is used for various purposes, including email encryption, authentication, and digital signatures, and unfortunately, it’s not the first time OpenSSL has become vulnerable.

Many readers may remember the notorious Heartbleed exploit from 2014, a vulnerability that caused many sleepless nights for sysadmins everywhere. Heartbleed affected the TLS Heartbeat extension, a module used to check if a server is available on the network.

Initial reports suggest that although severe, the latest OpenSSL vulnerability is not at the scale of the Heartbleed exploit. In this article, we will learn what OpenSSL is, discover the details of this vulnerability and how it affects Linux, Windows, and macOS users differently, and assess its likely impact.

What Is OpenSSL?

OpenSSL is a general-purpose, open-source cryptographic library. It was initially developed over 20 yearsago by ‘The OpenSSL Project.’ It has remained free to use and distribute in commercial or non-commercial projects. This approach has led to widespread use within most Linux distributions and is frequently embedded within cloud applications.

The main features of this cryptography library are:

• Hashing: an algorithm that takes an arbitrary amount of data and produces a fixed-size output. This output is also known as a hash, and in cryptography, it is often used as a type of encryption/decryption tool.
• Symmetric Encryption: an encryption type where only one key is used to encrypt or decrypt, sometimes called Secret Key Cryptography.
• Public Key Cryptography: an encryption scheme that uses two mathematically related, but not identical, keys – a public key and a private key.
• Key Agreement: a simple way to let two or more parties exchange information without allowing them to communicate openly is by using a shared encryption key that protects both parties.
• Certificate Handing: a cryptographic certificate allows users to access public keys. It will enable others to trust the public key.
• Pseudo-Random Number Generator (PRNG): an algorithm that uses mathematical formulas to produce sequences of random numbers.
• Message Authentication Code (MAC): a block of a few bytes used to authenticate a message.
• Hash Message Authentication Code (HMAC): a message authentication code with an authentication key with a hash function.
• Key Derivation Function (KDF): an algorithm that uses a secret key, such as a master key, to derive one or more secret keys from a string of data, such as a fingerprint.

OpenSSH also uses it as part of the secure shell protocol, explicitly the OpenSSL libcrypto and zlib libraries. Thankfully, it does not use SSL/TLS to make a secure connection.

Details of the OpenSSL Security Vulnerability

In late October 2022, OpenSSL developers announced they would release OpenSSL 3.7 to fix a critical flaw in the OpenSSL 3 protocol. OpenSSL advised that the vulnerability allowed an attacker to trigger a buffer overrun in X.509 certificate verification. It allowed a skilled hacker to exploit certificate verification despite failure to construct a path to the trusted issue.

This means the vulnerability could result in a stack overflow causing the affected system to crash, inducing a denial of service, and potentially allowing remote code execution on the endpoint.

The only version affected by the exploit is OpenSSL 3; the first stable version of OpenSSL 3.0 was released in September 2021. Any older operating systems or appliances that use Linux will likely be using OpenSSL 1.1.1, which is not affected. However, the only way to be sure is to check manually.

Known Linux Operating Systems that Use OpenSSL 3

OpenSSL is installed by default on most Linux distributions; however, only a handful use the exploitable version OpenSSL 3. These tend to be much newer Linux distributions. The known Linux distributions potentially impacted are:

• CentOS Stream 9 (OpenSSL Version 3.0.1)
• Fedora 36 (OpenSSL Version 3.0.5)
• Fedora Rawhide (OpenSSL Version 3.0.5)
• Kali 2022.3 (OpenSSL Version 3.0.5)
• Linux Mint 21 Vanessa (OpenSSL Version 3.0.2)
• Mageia Cauldron (OpenSSL Version 3.0.5)
• OpenMandriva 4.3 (OpenSSL Version 3.0.3)
• OpenMandriva Cooker (OpenSSL Version 3.0.6)
• Redhat EL 9 (OpenSSL Version 3.0.0)
• Rocky Linux 9.0 Blue Onyx (OpenSSL Version 3.0.1)
• Ubuntu 22.04 (OpenSSL Version 3.0.2)

What About Mac and Windows Users?

For Mac users, by default, the macOS uses LibreSSL and not OpenSSL. However, other software may install OpenSSL later, particularly applications installed using homebrew tools like brew.sh.

OpenSSL is not installed by default on Windows Desktop or Windows Server operating system; likewise, other applications may install OpenSSL.

How Do I Check What Version of OpenSSL I Am Using?

Checking the version of OpenSSL is simple; you type on the command line OpenSSL version. It’s the same command on Linux, Mac, and Windows. The server will respond with either the OpenSSL version being used or the command will give an error. If you get an error, OpenSSL is not installed on your system.

What Can You Do to Protect Yourself?

The first recommendation we offer is to review your OpenSSL version, and if the issue impacts you, download and install OpenSSL version 3.0.7, which includes a fix for the problem.

If you own a business that needs to focus on cybersecurity for whom parts of your business reside on the internet, we encourage you to reach out to us. Working with someone with extensive cyber security experience will help your business remain independent from these issues. We specialize in managed services, business cloud VPS hosting, and HIPAA compliance.

We are security specialists who help you reduce the threats to your business and plan for them before they happen. Our managed services can reduce your daily cyber security attention. In addition, we provide cloud-based solutions and technology for your business to move beyond essential safeguards in cybersecurity that require daily maintenance. Get in touch with us today to receive a detailed proposal.