See More: Mitigating Security Risks As a Hybrid Organization OpenSSL is, after all, used for encryption and server authentication over the Internet for operating systems (Windows, macOS, and Linux), HTTPS websites and the underlying servers and email servers. So, this advance warning is useful and welcome.” Attacks on this new vulnerability will start almost immediately thereafter. “When the new version is released, attackers will reverse engineer the update and create exploits. “I think that by announcing the new critical OpenSSL vulnerability several days in advance of revealing the details, the team is enabling organizations to prepare effectively,” Jeff Williams, co-founder and CTO at Contrast Security, told Spiceworks. CVE-2022-3602’s October 25 notification led the cybersecurity community to assess their implementations of the ubiquitous open-source SSL and TLS security protocol library. “The original bug only allows an attacker to corrupt four bytes on the stack, which limits the exploitability of the hole, while the second bug allows an unlimited amount of stack overflow, but apparently only of the “dot” character (ASCII 46, or 0x2E) repeated over and over again,” noted Paul Ducklin, principal research scientist at Sophos.ĬVE-2022-3602 was discovered on October 17 by cybersecurity researcher Polar Bear while CVE-2022-3786 the next day, on October 18 by Viktor Dukhovni while researching CVE-2022-3602. On the other hand, exploitation of CVE-2022-3786, which like CVE-2022-3602, is triggered in X.509 certificate verification through a malicious email certificate, could enable the attacker to carry out a denial of service attack. Gareth Lindahl-Wise, the chief security advisor at Tiberium, told Spiceworks, “While not being currently exploited, the RCE potential should be taken seriously and acted upon.” OpenSSL Project describes both as buffer overrun vulnerabilities with CVE-2022-3602 (initially thought to be critical), making the vulnerable machine susceptible to denial of service or potentially remote code execution. Patches for the two flaws, residing in OpenSSL version 3.0.0 through 3.0.6, are now available to download. Nevertheless, both CVE-2022-3602 Opens a new window and CVE-2022-3786 Opens a new window are still termed high-severity flaws with a CVSS score of 8.8, just 0.2 points lower than what they would need to be termed critical. However, the CVEs and patch releases indicate that the vulnerability (CVE-2022-3602) is far from being as severe as the only other critical vulnerability discovered in OpenSSL since 2014’s Heartbleed Bug. On October 25, the OpenSSL Project announced that one of the two vulnerabilities discovered in the OpenSSL library/toolkit was a critical one, sending the tech community into a tizzy. Turns out, the vulnerability wasn’t all that critical, though it remains important to patch. A week after warning the infosec community of a critical vulnerability in OpenSSL, developer OpenSSL Project has released a patch as scheduled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |