The OpenSSL Project tomorrow is scheduled to release version 3.0.7 of the popular open source encryption library that patches a critical vulnerability, the first disclosed and addressed by OpenSSL in six years.
The project's maintainers have not provided any substantial details as of yet on the vulnerability.
OpenSSL is everywhere within IT, operational technology, and connected embedded systems. Commercial and homegrown software projects include OpenSSL as their cryptographic key solution.
The affected version—3.0—was released in 2021 and is less likely to be deployed in OT environments and within critical infrastructure given their slower update cycles.
The last critical vulnerability publicly disclosed and patched by OpenSSL was in September 2016 when an emergency security update addressed a flaw introduced by an earlier update. The patch in question introduced a dangling pointer vulnerability that could lead to server crashes or remote code execution.
2014’s Heartbleed vulnerability is one of the biggest internet-wide bugs of the 21st century. Heartbleed leaked memory to any client or server that was connected, and that exposed servers to attack. It also kicked off a major patching frenzy at the time as administrators scrambled to understand where OpenSSL was deployed within their infrastructure, and whether it could be updated before exploits were made public.
It also caused OpenSSL’s handlers and the maintainers of other ubiquitous open source projects to scrutinize the security of their code and how users are impacted. Therefore, it’s critical for organizations to get ahead of this potential patching effort. The SANS Institute today published a blog recommending that in many cases, the OpenSSL command utility below would reveal whether OpenSSL 3.0 is in use.
% openssl version
SANS Institute also published a list of affected Linux distributions, which is relatively few. MacOS users are not affected because the OS users LibreSSL by default. Other software, however, may later have installed OpenSSL, according to SANS.
The National Cyber Security Centrum (NCSC-NL) is also maintaining a list of software affected by the vulnerability that users are urged to monitor.
Users should expect OpenSSL to release its update between 1 p.m. and 5 p.m. UTC.
CWE-121 STACK-BASED BUFFER OVERFLOW:
Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE 287: Improper Authentication
An Improper Authentication vulnerability exists in Danfoss AK-SM8xxA Series, resulting in an authentication bypass. Install the latest patch with number 4.2 to remediate this vulnerability. This flaw could enable an attacker to generate a web report that discloses sensitive information such as internal IP addresses, usernames, store names, and other sensitive information.e
CVSS v3: 8.2
CWE-798 USE OF HARD-CODED CREDENTIALS:
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
Optigo Networks recommends users implement at least one of the following additional mitigations:
CVSS v3: 9.8
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8