Critical Vulnerability in Open SSL
There are no details yet, but it’s really important that you patch Open SSL 3.x when the new version comes out on Tuesday.
How bad is “Critical”? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable.
It’s likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don’t want happening on your production systems.
Slashdot thread.
Clive Robinson • October 28, 2022 8:19 PM
@ ALL,
Re : There are no details yet.
So one “YOU HAVE TO ACT ON” if you run SSL 3.x… Because the last SSL critical warnings were nasty nasty nasty, so you don’t want to be on the list of entities “Shish kebabed” by this one.
But to little is currently “public” to say what is or is not vulnerable or why, thus how to mitigate it.
My advice based on what I know from past experience is “mittigation in advance” rarely is actually counter productive, if done judiciously.
But like most you probably do not have sufficient technical information available to you to do any mittigation with a surgical precision. Thus any systems with SSL 3.x on them, even if you do not think it’s in use need to be put on a list to be mitigated.
But that just brings up the “How to mitigate?” question to which there are only realy two answers currently,
1, Not being communications connected.
2, Watched critically 24×7 for any kind of unusual activity.
My reasoning would be the first for a few days might be the only option for most systems. With the second reserved only for systems that have to be connected.
Oh and remember, by “connected” I do not just mean “the Internet” because if this vulneravility is in use, then it can also be used on any and all networks where an attacker internal or externally could have reached…
So fingers crossed folks, and lets hope the law of,
“Target Rich Environment Probability”
Rolls the dice favourably for you.