Dejkala
No Result
View All Result
  • Home
  • Tech
  • Banking & loan
  • Games
  • Car’s & Bike’s
  • Home
  • Tech
  • Banking & loan
  • Games
  • Car’s & Bike’s
No Result
View All Result
Dejkala
No Result
View All Result
Home Latest update

OpenSSL 3 patch, once Heartbleed-level “critical,” arrives as a lesser “high”- Dejkala

by hasibul
November 1, 2022
in Latest update
0
0
VIEWS
Share on FacebookShare on Twitter


The fallout of an OpenSSL vulnerability, initially listed as
Enlarge / The fallout of an OpenSSL vulnerability, initially listed as “critical,” should be much less severe than that of the last critical OpenSSL bug, Heartbleed.

An OpenSSL vulnerability once signaled as the first critical-level patch since the Internet-reshaping Heartbleed bug has just been patched. It ultimately arrived as a “high” security fix for a buffer overflow, one that affects all OpenSSL 3.x installations, but is unlikely to lead to remote code execution.

OpenSSL version 3.0.7 was announced last week as a critical security fix release. The specific vulnerabilities (now CVE-2022-37786 and CVE-2022-3602) had been largely unknown until today, but analysts and businesses in the web security field hinted there could be notable problems and maintenance pain. Some Linux distributions, including Fedora, held up releases until the patch was available. Distribution giant Akamai noted before the patch that half of their monitored networks had at least one machine with a vulnerable OpenSSL 3.x instance, and among those networks, between 0.2 and 33 percent of machines were vulnerable.

But the specific vulnerabilities—limited-circumstance, client-side overflows that are mitigated by the stack layout on most modern platforms—are now patched, and rated as “High.” And with OpenSSL 1.1.1 still in its long-term support phase, OpenSSL 3.x is not nearly as widespread.

Malware expert Marcus Hutchins points to an OpenSSL commit on GitHub that details the code issues: “fixed two buffer overflows in puny code decoding functions.” A malicious email address, verified within an X.509 certificate, could overflow bytes on a stack, resulting in a crash or potentially remote code execution, depending on the platform and configuration.

Advertisement

But this vulnerability mostly affects clients, not servers, so the same kind of Internet-wide security reset (and absurdity) of Heartbleed won’t likely follow. VPNs that utilize OpenSSL 3.x could be affected, for example, and languages like Node.js. Cybersecurity expert Kevin Beaumont points out that the stack overflow protections in most Linux distributions’ default configurations should prevent code execution.

What changed between the critical-level announcement and high-level release? OpenSSL’s security team writes in a blog post that in roughly a week’s time, organizations tested and provided feedback. On some Linux distributions, the 4-byte overflow possible with one attack overwrote an adjacent buffer not yet used, and so could not crash a system or execute code. The other vulnerability only allowed an attacker to set the length of an overflow, not the content.

So while crashes are still possible, and some stacks could be arranged in ways that make remote code execution possible, it’s not likely or easy, which downgrades the vulnerabilities to “high.” Users of any 3.x OpenSSL implementation, however, should patch as soon as possible. And everybody should be looking out for software and OS updates that may patch these issues in various subsystems.

Monitoring service Datadog, in a good summary of the issue, notes that its security research team was able to crash a Windows deployment using an OpenSSL 3.x version in a proof of concept. And while Linux deployments are not likely exploitable, “an exploit crafted for Linux deployments” could still emerge.

The National Cyber Security Centrum of the Netherlands (NCSL-NL) has a running list of vulnerable software to the OpenSSL 3.x exploit. Numerous popular Linux distributions, virtualization platforms, and other tools are listed as either vulnerable or under investigation.




ShareTweetShare

Related Posts

How to tune Windows 10 for laser-focused productivity- Dejkala
Latest update

How to tune Windows 10 for laser-focused productivity- Dejkala

May 9, 2023
Chinese authorities arrest a man for using ChatGPT to write and spread fake news articles, one of the first known instances, with one article having 15K+ views (Low De Wei/Bloomberg)- Dejkala
Latest update

Chinese authorities arrest a man for using ChatGPT to write and spread fake news articles, one of the first known instances, with one article having 15K+ views (Low De Wei/Bloomberg)- Dejkala

May 9, 2023
Acer Predator Helios 300 review: The 3D screen is a letdown- Dejkala
Latest update

Acer Predator Helios 300 review: The 3D screen is a letdown- Dejkala

May 9, 2023
Twitter is going to purge and archive inactive accounts- Dejkala
Latest update

Twitter is going to purge and archive inactive accounts- Dejkala

May 9, 2023
Global tablet shipments fell 18% YoY to 31.7M in Q1 2023, the lowest shipment volume since Q1 2020; Apple had 12.35M shipments, down 17% YoY, for a 38.9% share (Canalys)- Dejkala
Latest update

Global tablet shipments fell 18% YoY to 31.7M in Q1 2023, the lowest shipment volume since Q1 2020; Apple had 12.35M shipments, down 17% YoY, for a 38.9% share (Canalys)- Dejkala

May 9, 2023
After GPTZero gained 1.2M users since January, co-founder Edward Tian raised $3.5M to launch Origin, aimed at "saving journalism" by detecting AI disinformation (Diana Li/Bloomberg)- Dejkala
Latest update

After GPTZero gained 1.2M users since January, co-founder Edward Tian raised $3.5M to launch Origin, aimed at "saving journalism" by detecting AI disinformation (Diana Li/Bloomberg)- Dejkala

May 9, 2023
Next Post
Some of our favorite gaming mice are up to 47 percent off at Amazon- Dejkala

Some of our favorite gaming mice are up to 47 percent off at Amazon- Dejkala

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Categories

  • Earn Money Online
  • Game news and review
  • Laptops
  • Latest update
  • Smartphone Reviews & News
  • TODAY Tech News
  • Upcoming Technology
  • Wordpress plugin
  • WordPress themes
  • World Wide Bike Reviews and News
  • World Wide Car News

Recommended

Best early AirPods Black Friday deals 2022: Save today $50 on AirPods Pro, $100 on AirPods Max- Dejkala

Best early AirPods Black Friday deals 2022: Save today $50 on AirPods Pro, $100 on AirPods Max- Dejkala

November 10, 2022
Get creative! Save money on drawing tablets in the Black Friday sale- Dejkala

Get creative! Save money on drawing tablets in the Black Friday sale- Dejkala

November 25, 2022
Supercharge your computer with MS Office and five top-rated Windows apps for $60 this Cyber Monday- Dejkala

Supercharge your computer with MS Office and five top-rated Windows apps for $60 this Cyber Monday- Dejkala

November 28, 2022
Ring limits more of its basic security features to its subscription plan- Dejkala

Ring limits more of its basic security features to its subscription plan- Dejkala

March 3, 2023
Avoid roaming charges with this specialized eSIM- Dejkala

Avoid roaming charges with this specialized eSIM- Dejkala

March 27, 2023
This is the free note-taking app for macOS you’ve been looking for- Dejkala

This is the free note-taking app for macOS you’ve been looking for- Dejkala

March 2, 2023
How to tune Windows 10 for laser-focused productivity- Dejkala

How to tune Windows 10 for laser-focused productivity- Dejkala

May 9, 2023
Chinese authorities arrest a man for using ChatGPT to write and spread fake news articles, one of the first known instances, with one article having 15K+ views (Low De Wei/Bloomberg)- Dejkala

Chinese authorities arrest a man for using ChatGPT to write and spread fake news articles, one of the first known instances, with one article having 15K+ views (Low De Wei/Bloomberg)- Dejkala

May 9, 2023
Acer Predator Helios 300 review: The 3D screen is a letdown- Dejkala

Acer Predator Helios 300 review: The 3D screen is a letdown- Dejkala

May 9, 2023

Categories

  • Earn Money Online
  • Game news and review
  • Laptops
  • Latest update
  • Smartphone Reviews & News
  • TODAY Tech News
  • Upcoming Technology
  • Wordpress plugin
  • WordPress themes
  • World Wide Bike Reviews and News
  • World Wide Car News

Pages

  • About Us
  • Banking & loan
  • Car’s & Bike’s
  • Contact Us
  • Games
  • Home
  • Home 2
  • Privacy Policy
  • Tech

© 2022 Dejkala

No Result
View All Result
  • Homepages
    • Home – Layout 1
    • Home – Layout 2

© 2022 Dejkala