OpenSSL ‘CRITICAL’ Bug — Sky Falling — Patch Hits 11/1
OpenSSL has a new “critical” bug. But it’s a secret—until next month.
Mark J. Cox (pictured), is an OpenSSL co-founder and the Red Hat VP of Security. This week, he pre-announced patch availability. We’re not going to see the actual code until Tuesday, though.
It’s a big, fat, hairy deal. OpenSSL is in just about everything. In today’s SB Blogwatch, we make sure our SBOMs are up to date.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Building a 1920s tube amplifier.
Worse Than Heartbleed?
What’s the craic? Steven J. Vaughan-Nichols reports—“OpenSSL warns of critical security vuln”:
“Likely to be a bad security hole”
We don’t have the details yet, but we can safely say that come Nov. 1, everyone—and I mean everyone—will need to patch OpenSSL 3.x. … Everyone depends on OpenSSL. [It] is used to lock down pretty much every secure communications and networking application and device out there.
…
An issue of critical severity [is] likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code remotely. In other words, pretty much everything you don’t want happening on your production systems. … We can only hope it’s not as bad as that all-time champion of OpenSSL’s security holes, 2014’s HeartBleed.
…
If you’re using anything with OpenSSL 3.x … get ready to patch on Tuesday. This is likely to be a bad security hole, and exploits will soon follow.
Okay, but what’s the issue? Sead Fadilpašić doesn’t know either—“Patch is coming imminently”:
“3.0.7 version is now set for November 1”
OpenSSL is preparing to patch its first critical flaw in eight years. [It] is the second critical vulnerability to ever be addressed by the OpenSSL Project, with Heartbleed (CVE-2014-0160) being the first one in 2014.
…
The release date for the 3.0.7 version is now set for November 1. [It] should fix several vulnerabilities … including one flaw defined as critical.
Can we speculate? Sure! Zach Hanley has a go—“Should You Be Spooked?”:
“Night of trick-or-treating”
If this upcoming vulnerability is like the last critical OpenSSL vulnerability in 2016, it will be … difficult to weaponize. … CVE-2016-6309 was a Use-After-Free (UAF) vulnerability that was triggered when processing large messages. … Memory corruption issues like this are not so straightforward and are increasingly becoming more difficult to weaponize. … There are a marathon worth of hurdles to overcome to truly weaponize a Use-After-Free or similar bug.
…
While this vulnerability may be easy to trigger, it will probably take serious investment … from an exploit developer’s perspective … to weaponize. This investment will take time, and time kills access when it comes to N-days.
…
As we all eagerly wake up from our night of trick-or-treating come Tuesday morning, I think we’ll find our industry is abuzz about this new hot vulnerability – and a week later we’ll all move on. We’ll see.
Welcome to the internet of ****. Brian Fox rolls his eyes—“Security Orgs Should Brace for Impact”:
Potential reach is always the most consequential piece of any major flaw. In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices.
…
Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow. All you can do at the moment is inventory.
Good luck with that. Ilkka Turunen points out the oint in the flyment—“Get Ready to Patch”:
Historically, OpenSSL vulnerabilities have had a widespread impact. … There are 62 wrapper packages distributed by the world’s largest Java Open Source ecosystem — Maven Central — that repackage OpenSSL.
It is more often included to a project transitively or required from the system by a piece of software. Indeed, any application that provides a web server, or uses a web server, could run on a server software that relies on an outdated version.
Penguinista? yuvadam sees the silver lining:
Most [Linux] distros have never bothered to upgrade to major version 3 — possibly because it broke ABI backwards compatibility — so despite the critical severity the impact might not be as widespread as it could have been.
Are there better options? 93 Escort Wagon suggests the obvious candidate:
Many, many projects and vendors have migrated to LibreSSL, which was forked from OpenSSL in 2014 because that latter project’s codebase was deemed to be a ****show.
Where’s the pachyderm in this parlor? midislack is disappointed:
No cute name/logo for this one?
But how could this possibly happen? TechyImmigrant isn’t surprised:
Have you looked at the OpenSSL code? You don’t need advanced warning to tell you that there are zero days within.
Meanwhile, mulenmar alleges an allegation:
Oh joy, what did the NSA sabotage in that project this time?
And Finally:
Hat tip: P-MONKE
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
