OpenSSL v3.0.4, the latest version of the open-source library for applications that secure communications, seems to be carrying a high-severity bug that could allow exploiters to run malicious code, remotely.
The problem is - there’s no proof of concept, which means it still can’t be considered a fully-fledged vulnerability, and the question remains whether it ever will.
Reports claim this version of OpenSSL carries a memory corruption vulnerability on CPUs with the AVX512 extension (Advanced Vector Extensions 512). The version was released in an attempt to fix an earlier command-injection vulnerability (CVE-2022-2068) which, itself, wasn’t able to fix an even earlier issue - CVE-2022-1292.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
High-severity vulnerability, or not?
On GitHub, the explanation is that when ossl_rsaz_mod_exp_avx512_x2(), makes a call off to bn_reduce_once_in_place(), the call includes the value factor_size, which is supposed to be the number of words to process.
However, the old code was sending bit size, which sometimes could result in heap buffer overflow. As the problem can be created via a TLS handshake, remote endpoint abuse is a possibility.
While some researchers believe this warrants a 10/10 severity score, not everyone agrees.
According to security researcher Guido Vranken (opens in new tab), this version "is susceptible to remote memory corruption which can be triggered trivially by an attacker."
> Best business laptops: top devices for working from home, SMB and more (opens in new tab)
> Latest Intel CPUs have 'impossible to fix' security flaw (opens in new tab)
> AMD forced to fix Spectre patch after Intel reveals flaws (opens in new tab)
Vranken did add that the 1.1.1 tree of the library is still being used, rather than v3 tree, and that libssl was forked into LibreSSL and BoringSSL, which could complicate things for potential attackers.
Furthermore, the flaw only affects x64 chips with AVX512, making the attack surface that much smaller.
On the other hand, Tomáš Mráz, software developer at the OpenSSL Foundation, doesn’t think this flaw constitutes a security vulnerability.
"I do not think this is a security vulnerability," he said. "It is just a serious bug making [the] 3.0.4 release unusable on AVX512 capable machines."
The flaw has since been fixed, according to The Register, even though OpenSSL 3.0.5 hasn’t been released just yet.
- Keep your digital premises secure with the best antivirus programs around
Via: The Register (opens in new tab)