New OpenSSL critical CVE: What you need to know

A few days ago OpenSSL, the widely-used cryptography/TLS  project released a very rare announcement that notified the public of an upcoming release of the project code that will fix a critical 0-day vulnerability. The release (OpenSSL version 3.0.7) is being released today and it is intended as a security fix for a critical vulnerability in OpenSSL 3.0.x.

New Heartbleed?

Hearbleed was the name given to the last critical vulnerability in OpenSSL, which was co-discovered by two different research groups in 2014. Since then, the name echoed throughout the years as “the poster boy” of vulnerabilities that are easy to exploit at the time of rapid growth of the Internet.

Because of that precedent, it is easy for many to notice the similarity and make everyone keep their attention on that upcoming release as back then it took special efforts to discover, evaluate and remediate the vulnerable findings on organizations systems, even weeks and months after the Heartbleed fix at the time.

Analyzing the situation – under constrained unknowns

OpenSSL haven’t disclosed what the critical vulnerability is, only that they will be releasing a new version of OpenSSL code that is without the aforementioned vulnerability.

CVSS calculation is a widely used metric to determine criticality, under its definitions – a score of 9 to 10 (out of 10) is considered critical. Although no further information on the nature of the vulnerability was released, by taking into account how the CVSS algorithm works, one can draw conclusions on properties of the vulnerability in question.

By deriving from Critical score on the CVSS we can assume that

• (a) The vulnerability’s attack vector is via the network – meaning that the exposure of the vulnerable functionality can be enacted by network access alone, no need for local access.
• (b) It is breaking confidentiality of the host system or of encrypted traffic.
• (c) Most critical cases are not requiring high privileges to exploit – so either guest/minimal-user privileges or even unauthenticated users are able to exploit the vulnerability.

The withdrawal of versions 3.0.6 and 1.1.1r

A rare event happened on the 12th of October, 2022, just days before before the publication of the aforementioned announcement (25th of October), which withdrew version 3.0.6. The case was explained with a succinct message on the OpenSSL message board.

We have received a report of a significant regression in the latest 3.0.6 and 1.1.1r versions. The regression is not thought to have security consequences. While the regression is further investigated we have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and instead recommend that users remain on the previous 3.0.5 and 1.1.1q versions for now. We will issue a new plan for the release of 3.0.7 and 1.1.1s soon.

The post stated clearly that the versions were discarded because of regression issues and with “no security consequences”. So, although the two occurrences took place on a similar timeline, it does not mean that version 3.0.6 is what caused the vulnerability. The ranges of the vulnerable versions are not known as for this moment.

Debate on nature of premature release announcement

Not everyone is super happy with the premature announcement of the imminent release. On one hand it gives potential attackers an advanced call to exploit it. The announcement was made on October 25th with a full week passing between it and the actual release. Secondly, the uncertainty of what the actual bug is both, frustrating and one could argue not in the spirit of Open Source.

Summary

A critical vulnerability, which affects common configurations and is also likely exploitable has been identified in OpenSSL 3.0.x. The patch is imminent and should shed more light on the actual details of the vulnerability. Although the announcement did not provide much information for an attacker to potentially use, there is still a concern the vulnerability could have been exploited in the time between the announcement and the patch itself. More clarity should be available imminently.