OpenSSL is an open-source encryption toolkit that supports secure online communications. Many servers and operating systems use a version of OpenSSL. The OpenSSL team did not shed more light on this bug as a security measure. The patch — OpenSSL 3.0.7 — will be released between 13:00 to 17:00 UTC.
What Is OpenSSL?
OpenSSL is ubiquitous; it is one of the most widely used Apache Foundation modules. When you visit any website, the chances are that your traffic is being routed through an OpenSSL tunnel to secure the session. Before OpenSSL was introduced in 1998, you could easily spy on what others were doing on the same network. OpenSSL makes services like online banking and e-commerce viable. This OpenSSL vulnerability is more widespread than the Log4J bug identified in 2021. This is not the first time OpenSSL has found bugs it needs to patch. In 2014, OpenSSL discovered the notorious “Heartbleed” vulnerability, which Check Point researchers estimate may have affected 44 percent of organizations. In 2016, a flaw in OpenSSL 1.0.2 led to crashes and hijacking. In August 2021, OpenSSL also identified a high-severity bug affecting versions 1.1.1 and below that could allow a remote attacker to take control of vulnerable systems. While details of this vulnerability are unknown, its classification as “critical” means it is possible threat actors can leverage the bug to gain access to user details, execute code remotely, and compromise private server keys across various systems worldwide. OpenSSL 3.0 was released in September last year, so many systems are running on older versions of the protocol.
What Systems Does This OpenSSL Bug Affect?
It is unclear how many networks, VPN providers, and operating systems the bug may affect. Any VPN service that uses the OpenVPN protocol is vulnerable. Virtual private network (VPN) provider ExpressVPN said in a blog post on Monday that this vulnerability doesn’t affect its service. “The ExpressVPN platform is not affected by the latest OpenSSL vulnerability, although we remain vigilant and will be paying close attention to the announcement on November 1,” ExpressVPN said. Meanwhile, the Health Sector Cybersecurity Coordination Centre (HC3) has put out an alert warning that health organizations are at risk and should apply the security fix as soon as it is released. “HC3 highly recommends all public and private health sector organizations identify all instances of OpenSSL in their infrastructure and prepare to test and deploy the patch as soon as it is released,” the alert said. According to the SANS Internet Storm Center, which released a list of affected platforms, there is ample cause for concern for systems that use OpenSSL 3.0. However, older operating systems are not affected by the vulnerability. You can type in the command “% openssl version” to check what version of OpenSSL your system uses. SANS’s list includes several Linux operating systems. Any OpenSSL iterations installed via Homebrew or Macports on macOS could also be vulnerable. This also applies to Windows systems. You can find SANS’s complete list of affected operating systems here.