By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

CISA Suggests Patching Severe Vulnerability in OpenSSL

OpenSSL version 3.0.4 is susceptible to a vulnerability that allows for buffer overflow and remote code execution.

CISA recommends administrators running 3.0.4 on TLS/SSL servers update to 3.0.5.
 

What’s the nature of the vulnerability?

The issue stems from OpenSSL running on X86_64 systems that support AVX512IFMA instructions.

An implementation issue with 2048 bit RSA on these systems causes memory corruption and could lead to Remote Code Execution.

The severity of the vulnerability is rated “high” by the OpenSSL team. The vulnerability was discovered and patched by Xi Ruoyao.   

What can I do to protect against exploit?

Users of OpenSSL 3.0.4 version should upgrade to OpenSSL 3.0.5. Upgrades to this version may require installing upstream binaries.
 
According to the Git Issue page, setting the environment variable OPENSSL_ia32cap=:~0x200000 will work as a temporary workaround, but may cause additional issues. Review the Git Issue for more details.
 
According to the OpenSSL team, 1.1.1 and 1.0.2 are unaffected.

 

Resources

  1. CISA Advisory
    https://www.cisa.gov/uscert/ncas/current-activity/2022/07/06/openssl-releases-security-updateprob
     
  2. OpenSSL Advisory
    https://www.openssl.org/news/secadv/20220705.txt
     
  3. NIST Description
    https://nvd.nist.gov/vuln/detail/CVE-2022-2274
     
  4. OpenSSL Bug Tracker for issue
    https://github.com/openssl/openssl/issues/18625
Previous Post

BeyondTrust Training

Next Post

Weekly Top Ten Cybersecurity Stories – 7.8.2022

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.