OpenSSL protected OpenSSL protected-mask

OpenSSL – Validate Detection and Protection Now with Cymulate

Looking at this week’s OpenSSL announcement regarding the vulnerability CVE-2022-3602 found in OpenSSL versions 3.0.x – 3.6.x, we can all breathe a sigh of relief.

OpenSSL is by far the most common encryption used globally, appearing in millions of applications. This is the first time the OpenSSL gave advanced warning of a critical patch. The industry was concerned about remembering the OpenSSL Heartbleed vulnerability disclosed in April 2014 – which in that case was exploitable on every version and instance of OpenSSL running at that time.

In this week’s case, the issue was initially rated CRITICAL before release. Considering OpenSSL’s severity categories, this meant the problem would have affected standard configurations and be widely exploitable. Fortunately, upon release, OpenSSL downgraded the severity to HIGH, meaning it only affected fewer, less common configurations and would be less likely to be exploitable.

Tracked as two separate bugs, CVE-2022-3602 and CVE-2022-3786, both patched in OpenSSL version 3.07, details of the vulnerabilities point to buffer overruns that can be triggered by email servers running X.509 certificate verification. This buffer overflow could cause a crash, causing a denial of service, or potentially remote code execution. This means only those running OpenSSL versions 3.0.x – 3.6.x on email servers, email security gateway appliances/apps, and email clients doing X.509 certificate authentication are susceptible. Another mitigating factor is that many platforms implement stack overflow protections that would mitigate the risk of remote code execution.

While some chuckle at OpenSSL for initially grading the issue as CRITICAL and then downgrading it to HIGH, I applaud their caution and quick turnaround from announcement to fix.

Let Cymulate Help!

We have created an Advanced Scenario that allows our customers to test existing OpenSSL instances to see if they are vulnerable to these two CVEs.

See the Cymulate Hub for instructions.

If you are not a customer, Cymulate security validation experts will be more than happy to guide you so you can test as well.

Book a Demo

Related Resources

resource image

Case Study

Fintech Organization Automates Security Testing for PCI-DSS

While the organization originally purchased Cymulate to prove PCI-DSS compliance, the security team quickly understood the additional value of the platform.
READ MORE arrow icon
resource image

SOLUTION BRIEF

Digital Operational Resilience Testing for Cyber Attacks

Download our solution brief to find out more information about how the Cymulate platform provides the proof and evidence you need to achieve DORA compliance against cyber attacks.
Download Solution Brief arrow icon
resource image

Podcast

Light Up Your Security: Immediate Threats

Hear a Cymulate solutions architect discuss the increase of immediate threats and how enterprises should approach them.
LISTEN NOW arrow icon