The OpenSSL Project released Tuesday a patch to fix two high severity security vulnerabilities that could allow attackers to execute code remotely and shut down networks.
The vulnerability was initially pre-disclosed as “critical” but ultimately arrived as “high” with the release of the latest version, 3.0.7. OpenSSL walked back the severity on Tuesday, but noted that they still believe the vulnerabilities — tracked under CVE-2022-3602 and CVE-2022-3786 — are serious issues and encourage users to upgrade systems as soon as possible.
“Our security policy states that a vulnerability might be described as CRITICAL if remote code execution is considered likely in common situations. We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1st November 2022 before being released to HIGH,” the OpenSSL project explained in its latest blog post.
Researchers at Cisco Talos noted that these vulnerabilities could be impactful given the wide use of OpenSSL and the fact that vulnerable versions are included in some major Linux distributions. However, it is also noteworthy that the issues only apply to version 3.0 and above, which was released recently in September 2021, and is not as widespread as older versions, such as 1.1.1 and 1.0.2.
Before the patch was released, the vulnerability caused a wave of fear among the security community that it could be another Heartbleed bug, one of the most dangerous vulnerabilities in the OpenSSL cryptographic software library that have allowed attackers to eavesdrop on communications and steal data directly from the services. Yotam Perkal, director of vulnerability research at Rezilion, told SC Media that CVE-2022-3602 is far less common than Heartbleed.
“Currently, under 16,000 publicly accessible servers worldwide are running potentially vulnerable versions of OpenSSL 3.X while around 238,000 servers are still vulnerable to Heartbleed, which was disclosed eight years ago,” Perkal noted.
While some researchers have voiced on Twitter that OpenSSL has overhyped the threats, Brian Fox, co-founder, and CTO of Sonatype, said that OpenSSL had made the right decision to pre-announce the vulnerability.
“Some people might be let down that it is not as bad as they hoped. But I think that is evidence of success because the opposite is that everyone is scrambling and woefully unprepared,” Fox told SC Media. “In fact, in our recent report, we have data that clearly indicates the more widely publicized a vulnerability is, the faster people respond.”
Conversely, Claire Tills, senior research engineer at Tenable, expressed concerns over disclosing the vulnerability before the investigation was completed, warning that it might have caused unnecessary strain on defender resources before OpenSSL officially announced the issues.
“That being said, this is an opportunity for organizations to evaluate their response processes and understand what can be improved,” Tills told SC Media. “Here are some questions organizations should reflect on — How difficult was it for organizations to determine which version of OpenSSL they had deployed or whether any software they relied on was vulnerable? "Were their communication channels maturing enough to get the correct information to the people who needed it as soon as it was available?”