OpenSSL flaws downgraded and patched after initial alarm

An OpenSSL buffer overflow vulnerability originally classified as “critical”—putting it on the scale of the infamous Heartbleed bug in 2014—has since been staunched with a patch and its vulnerability level downgraded to “high.”

The bug, as well as another flaw classified as high severity, affected OpenSSL versions 3.0 through 3.0.6 and are fixed in OpenSSL 3.0.7, released November 1. OpenSSL is an open-source version of the SSL and TSL protocols, and is used by the majority of HTTPS-enabled websites to secure communications. So, any major flaw in it has a disproportionate impact on the overall security of the world wide web.

According to the Register, the more serious bug allowed an attacker using a maliciously long email address in an encryption certificate to “overflow four attacker-controlled bytes on the stack that crashes the application or server—or potentially leads to remote code execution (RCE).” However, exploiting it would require one of two situations to arise.

Either a certificate authority would have to sign the malicious certificate, which is unlikely, or the targeted application would need to continue running after failing to validate, in which case it would already have grave flaws. Beyond that, such a specific set of circumstances would need to occur to pull off an attack that security researcher Matt Tait tweeted it would be “really, really hard, even for very competent exploit writers.”

According to the OpenSSL security team, certain Linux distributions appeared immune to the bug, and modern stack overflow protections in many platforms would have prevented RCE anyway. That, coupled with the many steps involved to exploit the bug, led the team to conclude it was no longer “likely in common situations” and downgrade its severity status. The second bug would have never allowed an attacker to execute malicious code and was ranked as “high” severity from the outset.

The Heartbleed bug, OpenSSL’s last critical vulnerability, allowed attackers to steal chunks of data from protected memory and affected hundreds of millions of websites. Fortunately, Bleeping Computer reported, Censys found that out of 1,793,000 unique hosts publicly broadcasting services using OpenSSL, only around 7,000 were running the affected versions.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.