Note: If you are running OpenSSL 3, you should update immediately. However, there is no need to panic - although serious vulnerabilities in their own right, the circumstances required to exploit them are unlikely to affect most people. That does not mean you shouldn’t patch your systems as soon as possible however!

The OpenSSL Project has just released details on the vulnerabilities that they initially announced last week.

Two Critical issues were identified but ultimately one was downgraded from Critical to High after further analysis on the “mitigating factors” of the exploit. Of course, it is recommended that users upgrade as soon as possible in any case.

What were the vulnerabilities?

A vulnerability was found in the way OpenSSL 3 was validating certificates. In particular, it would be possible for a maliciously crafted certificate to be able to trigger a buffer overflow that would ultimately crash the application creating a Denial of Service (DoS) attack.

To do so however would require a Certificate Authority (CA) to have signed the maliciously crafted certificate, as trust is verified before the vulnerable check is conducted. It would also be possible for an untrusted malicious certificate to have the same effect if the application continued to process the certificate even after it failed trust verification. However both scenarios are rather unlikely.

For those that would like to read the vulnerability announcements themselves, they can be found here.

So what’s the real impact?

The real takeaway from this situation is just how professionally the OpenSSL Project Team handled the situation. By giving everyone a full week to prepare and be ready to apply patches, they’ve helped to ensure awareness in the industry and that we don’t end up with systems that go unpatched for extended periods of time. That’s really the ideal outcome.

Some have said that by announcing the issue but not providing details that the team put real people in danger as attackers could use the news as a source of inspiration for attack. Whilst there is some truth to that, realistically those sorts of analysis are going on continuously; an alert from the OpenSSL Project Team isn’t going to be what makes a determined attacker start looking for exploits.

Summary

Most people then were never at any risk in the first place and those that were are unlikely to be in a position where the exploit can be used against them. Thanks to the media coverage of the situation, most people who are in the second category are aware and ready to patch in any case.

We should use this situation as a textbook example of a successfully managed vulnerability disclosure. And as always, we should be alert and on guard for any challenges that may come up in future!

Peter Membrey is the Chief Engineer (VPN Tech) at ExpressVPN, based in Hong Kong. His primary focus is on the research and development of new technologies to help keep the Internet secure, private, free and open. He has co-authored over a dozen books and a number of research papers. He is a member of IT Professionals NZ.