To Patch or Not To Patch? That is the Question.
To Patch or Not To Patch? That is the Question.
OpenSSL Goes Critical, Again!
OpenSSL caused one of the great vulnerabilities on the Internet, and it has one of the weakest track records of any software system. And, so, again, it is on the naughty step with a major bug that has yet to be fixed. For many, OpenSSL is the Swiss Army Knife of Cybersecurity, and it is the place that many turn to, in order to check their cryptographic methods. But underneath, there’s a tangle of code that has evolved over the decades, and that does not have a strong software engineering approach to its design.
The new bug (CVE-2022–2068) focuses in on TLS communications and involves a bug which corrupts the memory — a heap buffer overflow — for Intel’s Advanced Vector Extensions 512 (AVX512). But things get a little worse, as this problem was meant to be fixed by (CVE-2022–1292). As we can see, the CVE is now under reanalysis and has been given a rating of 9.8 (critical):
The previous update was OpenSSL 3.0.4, and needs to be updated. Overall, it is possible for an intruder to trigger the memory corruption, and then run malicious code. While there is no reported exploits to this yet, there is a race to patch systems before facing another Heartbleed case.
One way to mitigate is to use OpenSSL 1.1.1, and not move to Version 3. Another mitigating factor is that this only affects x86 processors with AVX512 and which were sold between 2016 and earlier this year. Intel’s new processors have disabled AVX512 support on many of its new processors.
And, so, we await OpenSSL 3.0.5, and hopefully, the bug will be fixed this time. Many Linux distributions have paused the roll-out of OpenSSL 3.0.4, and have stuck with OpenSSL 3.0.3 (which has a command injection flaw).
And, so, we await a real-life exploit … for Heartbleed the Python code was available on GitHub within hours of the exploit being published. For this one, it’s a bit more tricky.
If you want to know more about OpenSSL commands, try here:
https://asecuritysite.com/openssl/openssl_full
and
https://asecuritysite.com/openssl/openssl_full2
And for Heartbleed:
https://asecuritysite.com/encryption/heart3
Conclusions
Don’t patch, until the new patch!