How to Respond to OpenSSL Vulnerabilities

Two vulnerabilities, CVE-2022-3786 and CVE-2022-3602, were disclosed on Tuesday for the open-source software library OpenSSL which could allow for remote code execution (RCE) attacks. The vulnerabilities affect versions 3.0 to 3.0.6. OpenSSL version 3.0.7 was released last week as a security patch prior to the disclosure, and immediate updates are recommended to mitigate the risk of successful exploitation.

The vulnerabilities—one of which was initially deemed CRITICAL by OpenSSL and later downgraded to HIGH—would allow for a stack buffer overflow attack, which is used to execute remote code execution. While at the time of writing, there have been no known instances of exploitation in the wild, the widespread use of OpenSSL combined with the severity of remote code execution attacks warrants a quick response by network and security teams.

Stack Buffer Overflow Attacks Explained

A stack buffer overflow attack occurs when an attacker deliberately overloads the allocated memory (the buffer) in a program's data structure (the call stack) with excess data. An overloaded buffer can either trigger an application crash or create an error that an attacker can exploit.

The overloaded call stack prevents the program from being able to exit correctly to the calling process or function, which allows the attacker to point the program to a custom return address— rather than the one specified by the program—which allows the attacker to execute malicious shellcode. At this point, an attacker has effectively taken over a system by way of remote code execution (RCE).

OpenSSL originally disclosed CVE-2022-3602 at CRITICAL because of the potential for remote code execution, which allows an attacker to gain unlimited network access to carry out anything from a simple denial-of-service (DoS) attack to encryption and data exfiltration associated with ransomware and cyber espionage. The downgrade to HIGH was made after testing determined that, among other factors, stack overflow protections on modern platforms typically lead to system crashes, thereby preventing the type of program errors that allow for remote code execution.

Detecting and Mitigating Open SSL Vulnerabilities

OpenSSL is an open-source software toolkit used for encrypted communication, which makes it a ubiquitous part of today's software applications and a critical component of modern internet infrastructure. Because OpenSSL is a widely-used part of today's software supply chain, the task of applying a patch to every instance of vulnerable software becomes next to impossible without a complete inventory of all connected assets and the components they include.

To support the identification and mitigation of these vulnerabilities, as of Thursday, November 3, ExtraHop Reveal(x) 360 has updated connected sensors that allow users to automatically identify clients running vulnerable versions of OpenSSL. A Threat Briefing is also now available to customers.

Reveal(x) customers can search for devices with active OpenSSL 3.

A patch management process is strongly advised as a security best practice to help prevent current and future vulnerabilities that can lead to remote code execution. In addition, even after patches are applied, it is advised that all organizations monitor network data for post-compromise activity associated with remote code execution attacks such as C&C beaconing, data staging, and exfiltration.