Credential Stuffing Surge Targets Businesses and Individuals.
The recent surge in credential stuffing attacks highlighted by Okta serves as a stark reminder of the importance of robust cyber security practices. These attacks…
OpenSSL releases patches for two high-severity vulnerabilities
Description:
OpenSSL has released a security advisory detailing two new high-severity vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affecting versions 3.0.0 to 3.0.6.
CVE-2022-3786 allows an attacker to use a specially crafted email address within a certificate to trigger a buffer overflow that could result in the program crashing, causing a denial of service. CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow, which an attacker could trigger with a specially crafted email address. The overflow could result in a crash or potentially remote code execution.
Although CVE-2022-3602 was originally classed as critical, it has since been downgraded to high severity. In a blog post, OpenSSL said that organisations performing testing on the vulnerability found that “many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead”, and that on certain Linux distributes there was no crash or ability to cause remote code execution. These lowered chances of successful remote code execution have led to a downgrade in severity. OpenSSL has added, “We still consider these issues to be serious vulnerabilities, and affected users are encouraged to upgrade as soon as possible”. The organisation has stressed that OpenSSL versions 1.1.1 and 1.0.2 are not affected by these bugs and that they are currently not aware of either vulnerability being exploited in the wild.
Preventions:
To prevent exploitation of these vulnerabilities on your system, upgrade to OpenSSL version 3.0.7. They have added that users who obtain OpenSSL from their operating system vendor or a third party should seek an updated version as soon as possible.
If you are unable to upgrade, OpenSSL has recommended that users can consider disabling TLS client authentication until they can apply fixes.
Related Links:
https://www.openssl.org/news/secadv/20221101.txt – Posted 1st November
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ – Posted 1st November
https://www.bleepingcomputer.com/news/security/openssl-fixes-two-high-severity-vulnerabilities-what-you-need-to-know/ – Posted 1st November
https://censys.io/critical-vulnerability-in-openssl/ – Posted 31st October
Related articles
Cisco Firewall Vulnerabilities: Urgent Action Needed to Protect Against State-Sponsored Espionage
Businesses and organisations relying on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) firewalls are being advised to take immediate action to protect…
Cybercriminals Threaten Release of Sensitive World-Check Database
A recent cyber attack has resulted in a serious data breach affecting the World-Check database, a critical tool used by financial institutions and other organisations…