They recently discovered a vulnerability in OpenSSL, the application that enables the use of the TLS security protocol (from Transport Layer Security) on Linux, Unix, Windows and many other operating systems. Check Point Software issued the following announcement:
The OpenSSL management team warns with the disclosure of a critical vulnerability. Check Point is warning every organization to start preparations now
OpenSSL, the cornerstone for a secure internet, has announced a patch for a critical severity security vulnerability.
While details have not yet been shared, organizations are being asked to remain vigilant and prepare for systems to be patched and updated next Tuesday, November 1. Because OpenSSL is so widely used, the potential scope of this vulnerability is huge, hence the urgent need to patch and update systems. Check Point researchers are closely following the development of this story and will update on new protections as any details become available.
In an official statement last Tuesday, the OpenSSL management team announced the imminent release of its next version, which will be released on Tuesday, November 1, 2022 between 1300-1700 UTC. This release is expected to include a fix for a CRITICAL security vulnerability.
OpenSSL defines a critical vulnerability as follows:
“CRITICAL Severity. This affects common configurations, which are also likely to be exploitable…”.
While the exact details of the vulnerability are still unknown at this point, we urge organizations to remain alert to the release - and to keep both their systems and all protections up-to-date, until further details are revealed.
Which versions of OpenSSL are vulnerable?
OpenSSL versions 3.0 and above are the ones listed as vulnerable. OpenSSL version 3.0.7 is expected to be the next release and should include the critical vulnerability fix.
What is OpenSSL?
OpenSSL is a widely used code library designed to enable secure communication over the internet. Simply put, every time we browse the web, the website we browse or the online service we access uses OpenSSL at a very basic level.Which means that on Tuesday morning we should all be on high alert for what the OpenSSL project team will release. It is expected to touch broad aspects of our shared use of the internet.
What might be the danger?
While we'll have to wait until November 1st to learn details about exactly what the vulnerability is about, it could involve the disclosure of private key information or user information. Either way, it will undermine the very foundations of the encrypted sessions we all enjoy with so many services today. As it is so common, this can mean a mass event.
What can I do until more details are revealed?
Organizations should remain vigilant and use security best practices, such as patching and updating all systems to the latest operating system and preparing to update IPSs as they become available.
We also recommend that they understand in detail where OpenSSL is used within the organization and this can be done with the Software Bill of Materials (SBOM), which provides a detailed list of the company's software components. This way it will be possible to prioritize the critical areas and prepare for the expected patch.
The Check Point team is following this story closely and we will report the development as it becomes available
Lotem Finkelstein, Threat Intelligence and Research Area Director at Check Point commented in this respect:
The recent announcement by the OpenSSL program that the upcoming November 1st release would include a fix for a critical vulnerability has put the Internet technology community on alert. The critical vulnerability in OpenSSL has the potential to shake the foundations of the encrypted internet and the privacy of us all. This is indeed a very important development. While we'll have to wait and read what the OpenSSL team has to share on Tuesday, we'd like to urge all organizations to improve their oversight of the various applications and web services they use or provide, and the version of OpenSSL they're running. This is not an easy task, but on Tuesday we will have to make sure we are familiar with the weak points of our systems and act to prevent future attacks.