Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Developers Can’t Fix a Serious Vulnerability in OpenSSL

Now Reading
Developers Can’t Fix a Serious Vulnerability in OpenSSL

OpenSSL 3.0.4, released on June 21 this year, contains a serious memory corruption vulnerability.

The issue poses a threat to 64-bit systems with Intel AVX-512 (Advanced Vector Extensions 512) support, but not all experts agree that this issue should be treated as a vulnerability at all.

Let me remind you that we also wrote that Experts Found Long-Standing Bugs in Avast and AVG Antiviruses.

It all started with the fact that in the new version of OpenSSL, released last week, a command injection vulnerability (CVE-2022-2068) was addressed, though it could not be completely fixed using the previous patch (CVE-2022-1292).

Alas, it turned out that this time the correction again did not go quite according to plan. Information security specialist Guido Vranken explains that OpenSSL version 3.0.4 is “susceptible to a remote memory breach that can be easily exploited by an attacker.”

The expert emphasizes that if this bug can be exploited remotely (there is no certainty on this yet), then it can turn into more serious problems than the known Heartbleed vulnerability (CVE-2014-0160), at least from a technical point of view.

However, Vranken hopes that things are not so bad, and notes that the continued use of the 1.1.1 branch, rather than the third version, may save the situation; libssl forks to LibreSSL and BoringSSL; the short period of time during which version 3.0.4 was available; as well as the fact that the bug only affects x64 systems with AVX512. The fact is that these instructions are only available on some Intel chips released between 2016 and 2022. Let me remind you that this year, Intel began to completely disable support for AVX512 on the 12th generation Intel Core Alder Lake processors.

Tomáš Mráz

Tomáš Mráz

A fresh bug that could beat Heartbleed and is related to the AVX512 buffer overflow became known six days ago. The problem has now been fixed, although OpenSSL version 3.0.5 has not yet been released.

Interestingly, based on the discussion on GitHub Issues, Tomáš Mráz, developer of the OpenSSL Foundation, is generally confident that this issue should not be classified as a security vulnerability.

I don’t think it’s a security vulnerability. It’s just a serious bug that prevents version 3.0.4 from being used on machines that support AVX512.Mraz writes.

Although other experts agree with Mraz’s opinion, there are those who do not share this point of view. For example, Alex Gaynor of US Digital Service claims the opposite:

I don’t quite understand why this isn’t a security vulnerability. This is a heap buffer overflow that can be triggered by things like RSA signatures, which can easily happen in a remote context (e.g. TLS handshake), I think this is a CRITICAL issue, according to the OpenSSL Severity Policy, and in fact it is makes it impossible to upgrade to version 3.0.4 to receive security fixes.writes Gaynor and calls for a fix to be released as soon as possible.
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response