The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OpenSSL Downgrades Bug Severity to High and Releases Patches

Posted By on Nov 1, 2022

Last week, the OpenSSL Project announced a patch would be released on November 1, 2022, to address a critical OpenSSL vulnerability, the details of which were being kept secret to prevent exploitation of the flaw ahead of the patch being released. The news of the vulnerability caused considerable concern amongst the open source community and beyond due to the extent to which  OpenSSL is used – It is extensively used to encrypt communication channels and HTTPS connections, so the implications of such a flaw are enormous.

The news of a critical flaw existing brought back memories of the Heartbleed Bug (CVE-2014-0160) which was exploited to read the memory of systems including servers and routers to eavesdrop on communications. It is now 8 years since that patch was released and there are still 240, 000 publicly accessible servers that remain vulnerable to Heartbleed.

The latest vulnerability affects versions 3.0 to 3.06 of OpenSSL. Version 3 was only released a year ago, so usage of the latest version is limited; however, the vulnerability still has the potential to be extremely serious and has been a major cause of concern. “The short answer is you should be worried,” said Yotam Perkal, Director of Vulnerability Research at Rezilion. As for how worried you should be, Perkal said, “that depends how many vulnerable instances of OpenSSL3.x you have in your environment and do you have the ability to accurately detect them so that you could apply the patch once it’s out.” For many organizations, the answer to the latter will be no. This is why it took so long for the Heartbleed bug to be patched.

The OpenSSL Project announced that the patch for the vulnerability would be released between 13:00 and 1700 UTC on November 1, 2022.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Not One But Two Vulnerabilities

The OpenSSL Project has now confirmed that the vulnerability is not one issue, but two. The two flaws are being tracked as CVE-2022-3602 and CVE-2022-3786, although there is some good news. The severity of the flaws has been downgraded from critical to high severity, and exploiting the flaws would be difficult and require a high level of technical skill.

CVE-2022-3602 is a 4-byte stack buffer overflow that, if exploited, could cause a crash or potentially lead to remote code execution. CVE-2022-3786 is a buffer overflow issue that could be exploited using malicious email addresses in a denial-of-service attack.

The OpenSSL Project said that at the time of releasing the patches, it was not aware of any working exploit in the public domain that would allow remote code execution and that no evidence has been found to indicate either vulnerability has been exploited to date.

The Health Sector Cybersecurity Coordination Center issued an alert about the flaw soon after the OpenSSL Project announced a patch was due for release, warning that exploitation of the flaw was very likely, and may start almost immediately after the publication of the patch. Even though the severity of the flaws is reduced, exploitation is still possible, so prompt patching is recommended if OpenSSL 3.0-3.0.6 has been used. Fortunately, the vulnerable versions of OpenSSL have yet to be heavily deployed in production – Currently, between 7,000 and 16,000 systems are exposed to the Internet and are running vulnerable OpenSSL versions.

Exploitation of the bugs would require a high level of technical skill, which limits the potential for exploitation. Researcher Marcus Hutchins said that while one of the flaws could theoretically lead to RCE, it would be extremely unlikely for the flaw to be exploited and lead to RCE.

That said, OpenSSL warns that “OpenSSL is distributed as source code, we have no way of knowing how every platform and compiler combination has arranged the buffers on the stack, and therefore remote code execution may still be possible on some platforms.”

A list of products confirmed to be affected by the OpenSSL vulnerabilities is being maintained here.

Akamai has released YARA Rules and OSQuery queries that can be used to detect vulnerable instances.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist