OpenSSL have just published 2 HIGH security advisories — previously pre-announced as a single CRITICAL advisory
The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts
As an interesting aside, this is the second big announce from OpenSSL – back in 2014, then announced Heartbleed. This protocol level vulnerability remains un-patched on a significant number of internet-accessible systems
Affected Software
NCSC-NL and other partners are building a list of software that is known to be vulnerable (or not) to this latest OpenSSL Vulnerability. This is NOT an exhaustive l list, but hopefully a useful reference!
https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software
More Information
For more information, check out these links!
- https://www.openssl.org
- https://www.openssl.org/news/secadv/20221101.txt
- https://www.openssl.org/news/vulnerabilities.html
- https://www.openssl.org/news/newslog.html
Original Post
This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here https://www.linkedin.com/pulse/unexpectations-andrew-barnes/