Pregătiți-vă acum pentru defectul critic în OpenSSL, avertizează experții în securitate

Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a “critical” vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

Marți, 1 noiembrie, proiectul va lansa o nouă versiune a OpenSSL (versiunea 3.0.7) care va corecta o defecțiune încă nedezvăluită în versiunile actuale ale tehnologiei. Caracteristicile vulnerabilității și ușurința cu care poate fi exploatată vor determina viteza cu care organizațiile vor trebui să abordeze problema.

Implicații potențial uriașe

Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project’s disclosure of the flaw next Tuesday. But that will still leave potentially millions of others — including federal agencies, private companies, service providers, network device manufacturers, and countless website operators — with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.

Dacă noua vulnerabilitate se dovedește a fi o altă eroare Heartbleed – ultima vulnerabilitate critică care a afectat OpenSSL – organizațiile și, într-adevăr, întreaga industrie vor fi sub arme pentru a rezolva problema cât mai repede posibil.

Vulnerabilitatea Heartbleed (CVE-2014-0160), dezvăluită în 2014, le-a oferit atacatorilor o modalitate de a a asculta cu urechea la comunicațiile pe internet, a fura date
de la servicii și utilizatori, la uzurparea identității serviciilor și a face toate acestea fără nicio urmă de faptul că au făcut vreodată vreunul. Bug-ul a existat în versiunile OpenSSL din martie 2012 și a afectat o gamă amețitoare de tehnologii, inclusiv servere web utilizate pe scară largă, cum ar fi Nginx, Apache și IIS; organizatii precum Google, Akamai, CloudFlare și Facebook; servere de e-mail și chat; aparate de rețea de la companii precum Cisco; și VPN-uri.

The disclosure of the bug triggered a frenzy of remedial activity across the industry and sparked concerns of major compromises. As Synopsys’ Heartbleed.com site noted, Apache and Nginx alone accounted for a market share of over 66% of active sites on the Internet at the time Heartbleed was disclosed.

There’s no telling, until Tuesday at least, if the new flaw will be anything like Heartbleed. But given the almost critical-infrastructure-like use of OpenSSL for encryption across the Internet, organizations would do well not to underestimate the threat, security experts said this week.

Organizațiile de securitate ar trebui să se pregătească pentru impact

“It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn’t use the label ‘critical’ lightly,” says Johannes Ullrich, dean of research at the SANS Institute.

OpenSSL însuși definește un defect critic ca unul care permite dezvăluirea semnificativă a conținutului memoriei serverului și detaliile potențialului utilizator, vulnerabilități care pot fi exploatate ușor și de la distanță pentru a compromite cheile private ale serverului.

Version 3.0, the current release of OpenSSL, is used in many current operating systems, such as Ubuntu 22.04 LTS and MacOS Mavericks and Ventura, Ullrich notes. Organizations can expect to receive Linux patches quickly and likely at the same time as the OpenSSL bulletin on Tuesday. But organizations should get ready now, finding out which systems use OpenSSL 3.0, Ullrich says. “After Heartbleed, OpenSSL introduced these preannouncements of security patches,” he says. “They are supposed to help organizations prepare. So, use this time to find out what will need patching.”

Brian Fox, co-fondator și CTO la Sonatype, spune că până în momentul în care Proiectul OpenSSL dezvăluie eroarea marți, organizațiile trebuie să identifice dacă folosesc o versiune vulnerabilă oriunde în portofoliul lor de tehnologie, ce aplicații o folosesc și cât timp ar fi nevoie ca ei să remedieze problema. 

“Potential reach is always the most consequential piece of any major flaw,” Fox notes. “In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices.” In these instances, it can be hard to assess exposure without asking the upstream provider of the technology, he adds.

Anything that communicates with the Internet securely could potentially have OpenSSL built in to it. And it’s not just software that can be affected but hardware as well. The advance notice that the OpenSSL Project provided should give organizations time to prepare. “Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow,” Fox says. “All you can do at the moment is inventory.”

Ar putea fi necesar să fie actualizat un întreg ecosistem

A lot will also depend on how vendors of products with vulnerable versions of OpenSSL embedded in them respond to the disclosure. The OpenSSL Project’s release of the new version on Tuesday is only the first step. “An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates, and organizations will need to apply them,” says John Bambenek, principal threat hunter at Netenrich.

Ideally, organizations that have dealt with Heartbleed will have an idea of where their OpenSSL installs are and which of their vendor products will require an update as well. “This is why software bills of materials can be important,” Bambenek says. “They can take this time to reach out and understand their suppliers and vendors plans for updates to make sure those updates are applied as well.” One likely issue that organizations need to be prepared for is how to deal with end-of-life products for which updates are not available, he adds.

Mike Parkin, senior technical engineer at Vulcan Cyber, says that without evidence of exploit activity and associated indicators of compromise, it is best that organizations follow their normal change management process for when a known update is on the way. “On the security side, it’s worth putting some additional focus on systems that might be affected if an exploit emerges before the new release drops,” he advises.

There’s not enough information in OpenSSL Project’s announcement to say how much work will be involved in the upgrade, “but unless it requires updating certificates, the upgrade will probably be straightforward,” Parkin predicts.

Also on Nov. 1, the OpenSSL project will release OpenSSL version 1.1.1s, which it described as a “bug-fix release.” Version 1.1.1, which it replaces, is not susceptible to the CVE that is being fixed in 3.0, the project noted.