On October 25, 2022, the OpenSSL project announced the existence of a critical vulnerability in the OpenSSL library affecting OpenSSL versions 3.0.0 and above, as well as any application with an embedded, impacted OpenSSL library. This announcement did not include any details on what this vulnerability is or how it can be exploited.
On November 1, 2022, a cryptographic library used for encrypting communications in a wide variety of applications on the internet. Arctic Wolf Labs is providing an update with remediation guidance based on new information that has been disclosed about the OpenSSL vulnerabilities (CVE-2022-3602 and CVE-2022-3786).
OpenSSL had originally announced the existence of a security vulnerability that was originally described as critical. However, in the 3.0.7 release on November 1st, 2022, OpenSSL has downgraded the severity to high severity after further consultation with the community.
Arctic Wolf Labs has investigated this vulnerability and has determined that remote code exploitation may only be viable under very specific circumstances.
OpenSSL has clarified that this vulnerability can only be exploited in instances where a certificate authority has signed a maliciously-crafted certificate. They have also stated that stack overflow prevention technologies found in modern platforms greatly reduce the probability of this type of exploit succeeding.
At this point, neither Arctic Wolf nor the OpenSSL project have seen active exploitation of remote code execution with these vulnerabilities. As the industry responds to the disclosed OpenSSL vulnerabilities, vendors will release patches for their affected applications.
In practice, however, because successful exploitation has not yet been demonstrated in the wild, these patches should be planned as part of the regular patch cycle rather than being prioritized ahead of other critical patches out-of-band.
Recommendation: Patch any affected applications within your normal patching cycle
Software vendors will provide specific guidance for their affected products. At this time, due to the theoretical constraints limiting exploitation, we do not recommend prioritizing patching of these vulnerabilities out-of-band of your patching cycle due to a low likelihood of successful remote code execution exploitation.
For a limited list of potentially affected applications, see the following resource: OpenSSL-2022/software at main · NCSC-NL/OpenSSL-2022.
Note: This is a community-sourced resource maintained by the National Cyber Security Centrum in the Netherlands.