OpenSSL dodges a security bullet

Computer system security, database security, secure internet.  Abstract computer data background programming binary code, lock symbol in data protection technology.  Vector illustration

Getty Images/iStockPhoto

Originally, it was like OpenSSL 3.x A security breach would be much worse. While this was feared to be a critical bug leading to Remote Code Execution (RCE), a closer examination turned out to be not so dire.

That’s not to say it wasn’t bad. Both CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-Byte Buffer Overflow”) has a CVE rating of 8.8, which is considered “high”. That said, they can still cause you real trouble.

If so, you are using OpenSSL 3.0.0 to 3.0.6. Users of OpenSSL 1.1.1 and 1.0.2 need not worry. However, just because your main operating system uses OpenSSL 1.x, don’t think you can ignore these issues. Your applications or containers may use the vulnerable version. In short, check your code before taking off your shoes and going to bed.

In particular, you have to worry with 3786 about buffer overflows that can be triggered in X.509 certificate verification. Here, an attacker can create a malicious email address that consists of a stack of four attacker-controlled bytes. This may cause system crashes or RCEs.

With 3602, your concern is that a layer-based buffer overflow was detected in the way OpenSSL processes X.509 certificates with a specially crafted email address field. Again, this can cause a crash or RCE.

A common way to trigger this is after a malicious client connects or when a client connects to a malicious server and the server requests client authentication. To date, there have been no successful attacks.

Brian Fox, Co-Founder and CTO SonatypeA software supply chain security firm notes, “Memory overflow errors can lead to worst-case scenarios where the details of this particular vulnerability indicate that the level of difficulty for an exploit is too high. The vulnerability requires a false certificate. It is trusted or signed by a naming authority. That is, certificates designed to target this vulnerability are created.” Officers are able to stop quickly, and control the range.”

Why isn’t it as big a deal as we first feared? Vulnerabilities are no longer considered critical as many modern operating systems are not affected by their specific security holes.

This is because an exploited memory layer only overwrites unused adjacent buffer in some Linux distros. Red Hat Enterprise Linux (RHEL). Additionally, many modern platforms implement stack overflow protections. Your system may still crash, but an attacker is unlikely to pull RCE.

But, as OpenSSL warns, “Because OpenSSL is distributed as source code, we have no way of knowing how each platform and compiler combination organizes the buffers on the stack, so remote code execution may still be possible on some platforms.”

Additionally, when an OpenSSL patch is upstream, it doesn’t mean the patch is ready in your distribution. So, you simply cannot update Debian Linux Family software…

$ sudo apt-get update

$ sudo apt-get upgrade

… rest assured that you will be safe. Check with your Linux distributor to make sure your system has the OpenSSL 3.0.7 patch ready. Or you can always download and compile the patch for your computer.

Finally, OpenSSL always recommends using the latest version (1.1.1s) and reminds you that OpenSSL is 1.1.1. Only supported until September 11, 2023. Users of older versions of OpenSSL (such as 1.0.2) are encouraged to upgrade to OpenSSL 3.0. Remember, there was OpenSSL 2 release. If someone tries to “upgrade” you to OpenSSL 2, they are attacking you.

Before you fix this problem and leave it, chain And Sixstore Founder Dan Lorenc said that while this turned out to be an important OpenSSL vulnerability, “it’s the second one in the better part of a decade. It confirms that open-source code is at least as secure as proprietary, closed-source code. … Instead of debating the merits of open source, rooting is done securely by default operations.” Doing so should focus on building secure software with the necessary tools to make troubleshooting quick and seamless.”

Related Stories:

Source link

Denial of responsibility! is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – The content will be deleted within 24 hours.

Similar Articles

Popular post