The cyber security community was deeply engrossed this week in the news that OpenSSL, the organization responsible for the software package that encrypts and secures communications across much of the internet, was about to release a patch for a newly discovered “Critical” vulnerability.
The original announcement on October 25th was met with a cyclone of reaction and commentary from security experts. However, after a few tense days of speculation, OpenSSL downgraded the vulnerability rating to “High” before publicly releasing details of the security flaw and the patch on November 1, 2022. Despite the lowered rating, and while the issue is turning out not to be the crisis that many experts had feared, this is still considered a potentially major security issue and it is important to understand it and take remedial action where necessary.
This blog will explain what OpenSSL is used for, the commotion caused by the announcement this week, what it means for your OT network’s cyber security, and offer SCADAfence’s analysts advice for protecting your network from the vulnerabilities.
Securing Communications Across The Internet from Vulnerabilities
As the name implies, OpenSSL is an open source project maintained by volunteers. Its primary purpose is to secure communication across the Internet by creating encrypted channels that allow digital information to travel between endpoints securely. First released in 1998, it is considered a very mature and secure product and is widely in use by thousands of software development companies worldwide. Most services and websites whose URLs start with “https” are relying on a version of OpenSSL.
In 2014, OpenSSL captured headlines when a critical vulnerability branded Heartbleed was first identified. Heartbleed is a flaw in OpenSSL’s ‘Heartbeat’ extension that could be exploited to send a seemingly legitimate message which would fool a computer into revealing secret information such as passwords and credit card numbers. For many observers, the recent vulnerability was reminiscent of the Heartbleed critical vulnerability and there was some concern that this could be a repeat of that episode.
OpenSSL Announces A “High” Vulnerability
This latest vulnerability was reported to OpenSSL by a user on October 17th, 2022. Upon initial review, the organization assigned it an internal rating of “critical”. On October 25th, they quietly announced that they would soon be releasing a product upgrade to address a recently discovered security flaw. One week later, they released full details of the vulnerability and the patch.
It’s important to note that this security flaw only affects the newest version of OpenSSL, version 3.0.0 to 3.0.6., released just over a year ago in September, 2021. The patch is being shipped in version 3.0.7. Older versions of the software are not affected.
The risk posed by these new vulnerabilities, CVE-2022-3602 and CVE-2022-3786 is that they could be weaponized by malicious actors to launch Distributed Denial of Service (DDoS) attacks or Remote Code Execution (RCE).
The OpenSSL project explained that they downgraded the flaw’s rating from “Critical” to “High” because during the week of pre-notification, as additional testing was done, it was determined that exploiting this vulnerability would be very difficult, and they consider it a highly unlikely possibility and therefore they downgraded the rating.
The Impact for OT/ICS Networks’ Cyber Security
Luckily, the impact of this vulnerability on OT networks is so far expected to be limited. Since, as stated above, the vulnerability is only relevant to products using OpenSSL version 3, older OT/ICS devices using earlier versions of the software library are not going to be affected.
According to SCADAfence CTO Paul Smith, “We have reviewed the High vulnerabilities announced this week by OpenSSL and believe the impact on the traditional OT world will be minimal as most client side interfaces are still running legacy versions and tend to not have trusted authority signed certificates for the on-premise equipment.”
Overall we expect OT networks to experience very limited impact or disruption. Because the version of OpenSSL under discussion is relatively new, there are only a handful of OT and IIoT devices that are using it. Most organizations in the critical infrastructure and manufacturing sectors will have very few deployed assets that will be affected by this announcement. Given the very recent release date, older appliances with older OpenSSL versions are unlikely to be vulnerable due to the fact that most organizations use self-signed certificates on their equipment and not from a 3rd party trusted signing authority.
“Additionally, as with all newly announced vulnerabilities, SCADAfence’s product team has reviewed and assessed any potential impact on SCADAfence customers. Users of the SCADAfence Platform do not have exposure to the latest OpenSSL version 3.X vulnerability as we do not utilize any of these versions in our products. Furthermore the vulnerability is directly related to client side signed certificates and these certificates require a compromised trusted signing authority,” said Smith.
As of now, OpenSSL says there is no evidence that the new vulnerabilities are being exploited by threat actors in the real world. There have been no reported attacks based on this vulnerability. OpenSSL confirms in their official advisory, and in a blog post on the day the patch was released, "we are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited."
As always it is important to stay aware of the latest potential cyber security threats and how they may impact your organization and apply the latest security patches on deployed assets on your network, if possible.
The SCADAfence Platform recently released a new feature, Tailored Threat Intelligence which creates a custom feed of news and intelligence specifically for your OT network, containing information most important to you. This feature helps you understand the relevancy of reported vulnerabilities and their potential impact on your network in an ongoing, real time manner and provides a custom relevancy score for each news item or event.
If you have any specific questions about how your organization may be affected by the OpenSSL vulnerabilities, please contact us at firstname.lastname@example.org, or request a demo of the SCADAfence Platform.
SCADAfence will update this blog with additional information as it becomes available.