What to know and do about this week’s OpenSSL vulnerability
A new vulnerability has just been disclosed in OpenSSL, an open-source cryptography library that is very widely used in a range of commercial and internal applications to provide encryption and other security and privacy capabilities. OpenSSL is found in applications deployed on-premises, in the cloud, in SaaS applications, on endpoints, servers, in IoT or OT environments, and more.
What is the issue in OpenSSL?
The vulnerability disclosure describes an issue with how OpenSSL versions 3.0 through 3.0.6 performs certificate verification – a process that will occur in applications that are performing certificate-based authentication as TLS clients or servers. The OpenSSL Project team has indicated that the vulnerability is “high” and that version 3.0.7 is now available to correct the issue. There is additional information provided by the OpenSSL security team here.
There is some good news: this week’s security issue is only affecting OpenSSL version 3.0 through 3.0.6, which will limit the scope of affected applications. Version 3.0 was only released just over a year ago, on September 7, 2021, and many applications are still using older versions that do not contain this new flaw.
Even if an application is using an affected version of OpenSSL, it is not necessarily vulnerable. Exploitability depends on a set of factors listed in the OpenSSL vulnerability disclosure related to how OpenSSL is being used in each application and the nature of the surrounding platform.
What should you do now?
While this disclosure is brand new and security vendor teams are still assessing the information, there are still steps you can take now.
1. Don’t panic: There are many applications still using OpenSSL versions earlier than 3.0, and these are unaffected. It’s extremely unlikely you will face issues in all of your applications.
2. Find internal applications using OpenSSL 3.0 through 3.0.6: Now is a great time to identify any internal applications (e.g., custom applications built by your employees or contractors) that are using affected versions of OpenSSL. You can leverage an existing “software bill of materials” (SBOM) or run a scan in your company’s source code repositories. Then, using the vulnerability disclosure details your developers can assess whether each application is vulnerable.
3. Prepare to check 3rd party vendor status: Many 3rd party applications use OpenSSL, and you will want to query vendors for applications you use, whether on-premises or SaaS, in order to understand how they are affected. Keep in mind that vendors have only learnt the vulnerability details today (Tuesday, November 1st) and won’t be able to immediately comment on exploitability unless they happen to only be using older versions of OpenSSL (prior to 3.0).
4. Prepare to patch: Expect that some of your in-house and 3rd party applications will require urgent patching. Consider prioritisation based on your inventory and anticipate the need for extra resources to focus on patching in the near term.
5. Prepare to temporarily take some applications offline: If the vulnerability details reveal serious risk to your company’s operations or data, and patches are not available in a timely fashion, it may be necessary to take these applications offline temporarily. This is unlikely to be a widespread situation given the specific nature of the exploitation risk.
6. Consider mitigations once further details are known: It’s too soon to know what mitigations will be effective beyond patching. It’s possible that technologies such as Intrusion Prevention Systems (for example, Trend Micro’s TippingPoint) or Host Intrusion Prevention Systems (for example, the virtual patching features found in Trend Micro’s Cloud One and Apex One endpoint security products) may be effective against exploitation of this OpenSSL vulnerability, but Trend Micro’s engineering team is still assessing the vulnerability details in order to determine whether these technologies can provide mitigation.
Are Trend Micro Products Affected?
Trend Micro is currently assessing its products to determine the exploitability of the OpenSSL 3.0 vulnerability and will be communicating the status as it becomes available in a knowledge base published here. The knowledge base and this blog post will be updated as we learn more.