Highly anticipated critical vulnerabilities in current versions of OpenSSL were downgraded to high severity by the OpenSSL Project today, which patched the flaw in version 3.0.7. OpenSSL’s advisory can be found here.
The downgrade should not lessen the rush to update current deployments, OpenSSL said, despite several mitigating factors reported by users who tested their systems for the vulnerabilities.
OpenSSL added there are no reports of public exploits for either CVE-2022-3786 or CVE-2022-3602. Both vulnerabilities are buffer overflows that could lead to crashes or in some rare cases to remote code execution; they affect functionality that processes email address name constraints in X.509 certificates.
OpenSSL is everywhere within IT, operational technology, and connected embedded systems. Many commercial and homegrown software projects include OpenSSL as their cryptographic key solution.
A blog published today by OpenSSL explains that several organizations doing testing on systems running affected versions of the crypto library reported two mitigating factors that blunted the effects of the vulnerability and led to the downgrade in severity from critical to high severity.
“Firstly, we had reports that on certain Linux distributions the stack layout was such that the 4 bytes overwrote an adjacent buffer that was yet to be used and therefore there was no crash or ability to cause remote code execution,” OpenSSL said. “Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead.”
Since OpenSSL is open source, maintainers caution there could still be a risk of remote code execution exploits.
“We have no way of knowing how every platform and compiler combination has arranged the buffers on the stack and therefore remote code execution may still be possible on some platforms,” OpenSSL said in its blog. Users who have OpenSSL 3.0 and later running under the hood of commercial software should work with their respective vendors on updates.
Several entities have published lists of affected Linux distributions and other software projects that may be impacted by the vulnerabilities, including SANS Institute and the Netherlands' National Cyber Security Centre.
“Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable,” OpenSSL said. “This includes TLS clients, and TLS servers that are configured to use TLS client authentication.” OpenSSL also said that users operating TLS servers may disable TLS client authentication until fixes are applied, if appropriate within their environment.
The last critical vulnerability publicly disclosed and patched by OpenSSL was in September 2016 when an emergency security update addressed a flaw introduced by an earlier update. The patch in question introduced a dangling pointer vulnerability that could lead to server crashes or remote code execution.
2014’s Heartbleed vulnerability is one of the biggest internet-wide bugs of the 21st century. Heartbleed leaked memory to any client or server that was connected, and that exposed servers to attack. It also kicked off a major patching frenzy at the time as administrators scrambled to understand where OpenSSL was deployed within their infrastructure, and whether it could be updated before exploits were made public.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
