Description
SSS is aware of a critical vulnerability in OpenSSL that could lead to unauthorised information disclosure and unauthorised access if exploited by attackers. No further details or patches are currently available, but we are expecting more information tomorrow.
We believe the potential exposure of this vulnerability could be significant; therefore, your best course of action is to update all affected systems as soon as patches become available and ensure heightened awareness prior to this time.
Background
OpenSSL is a commonly used code library designed to allow secured communication across the internet. Therefore, this vulnerability is expected to touch on broad aspects of our common usage of the internet.
In an official statement from the OpenSSL project team last Tuesday, they announced the release of their next version which will be released on 2nd November between 0200-0600 NZDT.
When the final details and new version of OpenSSL are released, we will expect to see threat actors immediately begin to reverse engineer the new release to identify exactly what is being fixed. They will then create exploits and immediately begin targeting non-updated systems.
Affected products
OpenSSL versions 3.0 and above
CVSS Rating/CVE ID
The CVSS rating and CVE ID have not been released to the public yet, however, OpenSSL has categorized this as a critical vulnerability which means all users of OpenSSL should apply the patch as soon as it becomes available.
Recommended Actions/Next Steps
- Identify any vulnerable systems using OpenSSL version 3.0 or above
- Prepare and apply patches to applicable systems when these become available
- Use security best practices, including patching all systems to the latest stable versions
- Prepare to update other prevention systems such as firewall, IDS, IPS once the release is announced
More information and affected products can be found on the following link.
https://github.com/NCSC-NL/OpenSSL-2022
