ITP Techblog

Note: This vulnerability specifically affects OpenSSL 3 which relatively few Linux distributions and projects are using at this time. However, that can change very quickly, so if you’re in any doubt, please do check that you are not using OpenSSL 3 anywhere and if you are, get it patched immediately when patches become available!

On the 25th of October, a member of The OpenSSL Project Team announced that they would be releasing a new version of OpenSSL on the 1st of November that would contain fixes for what they had deemed to be a CRITICAL security issue.

The OpenSSL project makes very clear what they deem to be an issue of CRITICAL severity:

• Critical severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys (excluding local, theoretical or difficult to exploit side-channel attacks) or where remote code execution is considered likely in common situations.

In other words, if you’re using an application that uses OpenSSL and you hear about it having a CRITICAL security vulnerability, you want to be paying very, very close attention and make sure that either you are not affected or you get the issue patched as soon as possible.

What is OpenSSL? Where can I find it?

OpenSSL is arguably the most widely adopted cryptography library in use today. It’s primarily used for securing network connections such as visiting secure websites (https) or hosting such sites. Generally speaking, if OpenSSL is involved, it’s because you want to secure something and keep it confidential and safe. A bug in OpenSSL then could potentially allow attackers access to things you would want to keep confidential, such as traffic to online banking, email providers and corporate VPN connections.

As for where it can be found, the answer is pretty much everywhere. It is used by most Linux distributions (certainly the popular ones like Fedora, Debian, Ubuntu and Red Hat) which in turn means that most software running on those platforms will use the provided version of OpenSSL to secure their own communications (this is, in general, a good thing).

It’s also found in FreeBSD and derivatives like the OPNSense firewall product and many apps built for iOS and Android will include their own built-in versions of OpenSSL to ensure they are portable across multiple platforms. Interestingly one platform that almost manages to avoid OpenSSL entirely is Mac OSX which previously switched to LibreSSL, a derivative of OpenSSL with a focus on simplification and improved security created by members of the OpenBSD team. That said, if you are using Homebrew to install additional software (you’ll know if you are), that can often pull in OpenSSL, which then could be affected.

What’s the actual security vulnerability?

That’s the thing, no one yet knows, and we won’t know until the 1st of November. The reason they are notifying everyone early before the official announcement is to make sure that people are watching their inboxes for news and (hopefully) a fix. That way fixes should be deployed very quickly, greatly reducing the time window that potential attackers would have to exploit it.

Although a lot of people are guessing right now and hypothesising what it could be (it is after all a CRITICAL vulnerability), these are just guesses. Try not to read too much into them.

Am I likely to be affected?

The good news is that although OpenSSL is basically everywhere, the vast majority of people are using variants of either 1.1.1 or 1.0.2 which are not affected by this vulnerability. To check whether your version of OpenSSL is affected, you can run the command “openssl version” at a terminal and you should get something like this:

$ openssl version

OpenSSL 1.1.1n 15 Mar 2022

$

On my Mac I get:

$ openssl version

LibreSSL 2.8.3

$

The SANS Internet Storm Center has compiled a list of various operating systems and distributions along with the versions of OpenSSL that they use. You can check out their list here. They note however that as the first release of OpenSSL 3.0 was in September 2021 that “older operating systems are likely using 1.1.1 which is not affected”.

So what should I do?

For now, keep your eyes peeled for details on the vulnerability that will be released this Tuesday. I expect the various distributions will release fixes at the same time, so it’s important that you know which systems are likely to be affected and stand ready to update them.

As always there will be a lot of news coverage around and don't be too surprised if you hear a lot of sensationalist commentary. Security issues like these don’t come along all that often so they do catch a lot of attention. As long as you’ve identified your affected systems and applied the updates, you’re in a really good position.

Summary

OpenSSL, arguably the most popular cryptographic library in the world, has just announced a CRITICAL vulnerability in its latest version. The good news is that the vast majority of systems using OpenSSL will be using the 1.0.2 or 1.1.1 variants and hence won’t be affected. As OpenSSL 3.0 was only released in September of 2021, anything older is unlikely to be affected either.

We will know more about the vulnerability on Tuesday, but in the meantime, check your systems to make sure they aren’t running a vulnerable version, and if they are, stay tuned for security fixes from your upstream providers.

And, as always, don’t panic!

Peter Membrey is the Chief Engineer (VPN Tech) at ExpressVPN, based in Hong Kong. His primary focus is on the research and development of new technologies to help keep the Internet secure, private, free and open. He has co-authored over a dozen books and a number of research papers. He is a member of IT Professionals NZ.