On October 26 Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)'s VP of Security, tweeted, "OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC." Here’s what we know about the vulnerability, the impact, and how Axonius customers can find assets impacted.
What Are OpenSSL Vulnerabilities CVE-2022-3786 and CVE-2022-3602?
The OpenSSL project noted on Tuesday, October 25:
Hello,
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL version 3.0.7.
This release will be made available on Tuesday 1st November 2022 between
1300-1700 UTC.
OpenSSL 3.0.7 is a security-fix release. The highest severity issue
fixed in this release is CRITICAL.
UPDATE: On November 1, 2022, OpenSSL issued the following update noting that the original critical classification has been downgraded to HIGH:
CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE).
Our security policy states that a vulnerability might be described as CRITICAL if “remote code execution is considered likely in common situations”. We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1st November 2022 before being released to HIGH.
CVE-2022-3786 was NOT rated as CRITICAL from the outset, because only the length and not the content of the overwrite is attacker controlled. Exposure to remote code execution is not expected on any platforms.
What Do CVE-2022-3786 and CVE-2022-3602 Impact?
Per OpenSSL, the update will only affect OpenSSL 3.0.x, not 1.1.1. SANS Internet Storm Center has a list of Linux distros and the version of OpenSSL they use here. As the full extent of these vulnerabilities is still evolving, additional information on affected products can be found in the 2022 OpenSSL vulnerability - CVE-2022-3602 GitHub repository, jointly maintained by the Netherland's National Cyber Security Centrum (NCSC-NL) and CISA.
How Can I Find Assets Impacted by CVE-2022-3786 and CVE-2022-3602?
Axonius customers can identify OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602 in the following ways:
By OpenSSL Version
You can look for all devices that have vulnerable OpenSSL versions (any version between 3 and 3.0.6).
Axonius customers can use the query wizard to search for:
("specific_data.data.last_seen" >= date("NOW - 30d")) and (("specific_data.data.installed_software" == match([("name" == regex("openssl", "i")) and ("version_raw" > '000000003') and ("version_raw" < '0000000030000000000000007')])) or ("specific_data.data.installed_software" == match([("name" == regex("openssl", "i")) and (("version" == "3.0") or ("version" == "3.0.0") or ("version" == "3"))])) or ("specific_data.data.installed_software" == match([("name_version" == regex("openssl[_\s\-]3[\._]0[\._][0-6]", "i"))])))
This query can then be saved and used as a baseline. Combined with additional queries, you can gain more context about the impacted devices such as Impacted devices without endpoint protection, devices unscanned by vulnerability assessment tools, and devices with public IPs.
By CVE ID
The CVE IDs for the OpenSSL vulnerabilities are CVE-2022-3786 and CVE-2022-3602, and Axonius customers can use the following query:
("specific_data.data.last_seen" >= date("NOW - 30d")) and (("specific_data.data.software_cves.cve_id" == "CVE-2022-3602") or ("specific_data.data.software_cves.cve_id" == "CVE-2022-3786"))
This will yield a list of all assets impacted by the vulnerability.
Visualizing the OpenSSL Vulnerability With Axonius Dashboards
Within Axonius, customers can create easy-to-use charts to illustrate the query findings and facilitate the patching process. This makes visualizing security issues and remediation efforts clear and allows security teams to clearly chart progress and improvements.
Axonius Customers: Customer Support has created a predefined dashboard available for use - Contact Customer Support.
Creating Alerts Within the Axonius Enforcement Center
Security, IT, and operations teams can use the Axonius Enforcement Center to automatically act on identified issues, such as those shown above. Administrators can customize actions like notifying asset owners to update their operating systems immediately, or open a support ticket to have IT and security take action on their behalf, and assets can even be automatically added to a CMDB group so they can be updated together.
When Will the Patch Be Available?
The OpenSSL patch is part of OpenSSL 3.0.7 released on November 1st, 2022. You can find details here.
Is Axonius Impacted by the OpenSSL Vulnerabilities?
Our assessment found that Axonius is not impacted by the new OpenSSL3 vulnerabilities both in Cybersecurity Asset Management and SaaS Management. However, this is an ongoing worldwide incident and new findings might arise in the next few days. We will keep monitoring closely as information on the vulnerability evolves.