Table of Contents:
OpenSSL Vulnerabilities: What Do They Mean to You?
What is Remote Code Execution?
OpenSSL: Vulnerabilities Still Exist
The Broader Question: Improving Security Posture
On November 1, 2022, OpenSSL Security Team published a blog regarding its security advisory for two vulnerabilities, CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).
CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL (and later downgraded to HIGH) as it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may lead to remote code execution (RCE).
What is Remote Code Execution?
Remote code execution is equivalent to a full compromise of the affected system or application and can result in serious consequences such as data loss, service disruption, deployment of ransomware or other malware, and lateral movement of the attacker to other sensitive IT systems or software infrastructure.
OpenSSL: Vulnerabilities Still Exist
After some testing in the prenotification period, many testers offered feedback that certain stack overflow protections, if present, would minimize the risk of the remote code execution for this vulnerability, convincing the OpenSSL Technical Team that classifying it as a HIGH vulnerability was sufficient.
However, as the OpenSSL team noted, remote code execution may still be possible on some platforms, especially downstream ones where platform and compiler combinations may not be set right, so the buffers on the stack could still be vulnerable.
Both vulnerabilities are obviously serious and teams should take immediate steps to remediate and patch, in this case upgrading to 3.0.7 or, if applicable, by contacting your operating system provider for vendor specific instructions.
The Broader Question: Improving Security Posture
The OpenSSL deliberations raise a broader question about your security posture: Should we keep waiting for the next patch to fix the next vulnerability that leads to remote code execution or should we solve the problem more globally?
Remote code execution is a security vulnerability that allows attackers to run arbitrary code on a remote machine, whether connected over public or private networks. Vulnerabilities that lead to remote code execution are often rated a critical vulnerability.
In this case, exposure to remote code execution from software in your software supply chain can wreak havoc on your code at runtime exposing you to compromise. RunSafe customers deploy protections that prevent these types of exploitation and in some cases, deploy RunSafe-protected versions of the most common open source packages.
Are the OpenSSL vulnerabilities the last vulnerability across your entire software supply chain to expose you to remote code execution? Certainly not, as you likely have dozens if not hundreds of packages with related memory-based vulnerabilities that could compromise your systems.
Reduce Your Attack Surface
At RunSafe, we offer a simple insert into your build process (compatible with most compilers, operating systems, and instruction sets) that enables load-time function randomization.
This approach eliminates the exploitability of all memory based vulnerabilities in your code—whether known or unknown—even when a patch is not available. You can also subscribe to RunSafe-protected open source packages with our load-time function randomization already applied.
So while you apply the patch for OpenSSL, why not also insert RunSafe Code or RunSafe Repo so you can reduce your attack surface and minimize the risk of exploitation across all your software infrastructure?
Your CEO and Board will be most appreciative.