IT Defenders Race To Scope Out The Threat Ahead Of OpenSSL Patch Release

11/01/2022: This story has been updated to include new information about products affected by the OpenSSL vulnerability.

A race between attackers and defenders will start Tuesday, as the OpenSSL project, which maintains widely-used open source software that facilitates secure communication, pre-disclosed a critical vulnerability that an updated version will address.

While OpenSSL has not shared much in the way of technical details for the bug, the team noted that the next version, 3.0.7, would be made available on Tuesday between 13:00 to 17:00 UTC, which will fix a critical vulnerability affecting version 3.0 and above.

The announcement has been noteworthy as this is the first time OpenSSL has classified a flaw as “critical” since the Heartbleed bug in 2014. It has also been somewhat controversial among the security community, with some questioning whether the OpenSSL project’s decision to go public about the vulnerability before the patch gives attackers more opportunities to exploit it.

“[The advance notice] does put the vulnerability bug in the spotlight and gives it a sort of promotion, especially when it concerns such sensitive and high-profile applications,” Alex Kozodoy, cyber research manager at Deep Instinct, told SC Media.

Tim Mackey, principal security strategist at Synopsys, added that attackers could make use of the time to create fake patches.

“[Fake patches] could potentially pollute software supply chains of organizations who are more focused on patching than they are on verifying the integrity and functionality of a patch,” Mackey said.

Conversely, some security experts said the announcement gives companies more time to prepare for wide-scale patch management.

“Since OpenSSL is so widespread, early notice of the need to update should do more good than damage,” Eugene Rojavski, application security research team leader at Checkmarx, told SC Media. “All the major vendors and library users should be ready to install the patched version and publish their own updated version.” 

OpenSSL is a part of the internet’s critical infrastructure — it secures most communications and networking applications and is widely used in all types of software development. Therefore, it is challenging to identify the vulnerable version in all devices and update them accordingly.

The lack of widespread IT asset inventory work across the private and public sector also means many organizations could be blind to where and even whether they rely on a vulnerable version of the library. Dozens of security researchers have begun compiling a common list on GitHub of vendors and products that are known to be affected or unaffected by the vulnerability.

“Organizations rarely know what components their hardware uses due to manufacturers keeping that information secret, so the real risk is not knowing whether your routers, semiconductors, and other pieces of hardware are using the vulnerable version,” Brian Fox, CTO at Sonatype, noted in an email.

There is no telling, until Tuesday at least, whether the threat landscape will be as large as Heartbleed or log4j, but one of the most commonly used versions, 1.1.1 and every other version up to 3.0 will not be affected, meaning only systems and assets using more recent versions are at risk.

“Give that low number of systems running OpenSSL 3.0.x, we’re unlikely to see impact anywhere near the level of previous mass exploitation incidents (Log4J, BlueKeep, ProxyLogon, etc),” wrote Marcus Hutchins, a security researcher at Kryptos Logic who is best known for temporarily shutting down the global WannaCry ransomware attack, in a post published Nov. 1. “A rudimentary scan based on HTTP headers detected only around 6,000 webservers presenting vulnerable OpenSSL version.”

Still, given the popularity and significance of OpenSSL, experts warn that organizations should continue monitoring the threat actors and stay alert in the long term.

“The short-term impact will be unknown for some time but will be substantial once the dust settles. And longer term, we could be dealing with this for years as we are still seeing issues with log4j today,” Mike Turner, VP WW of solution engineering at AppViewX, told SC Media.