Developers Can’t Fix a Serious Vulnerability in OpenSSL
OpenSSL 3.0.4, released on June 21 this year, contains a serious memory corruption vulnerability.
The issue poses a threat to 64-bit systems with Intel AVX-512 (Advanced Vector Extensions 512) support, but not all experts agree that this issue should be treated as a vulnerability at all.
Let me remind you that we also wrote that Experts Found Long-Standing Bugs in Avast and AVG Antiviruses.
It all started with the fact that in the new version of OpenSSL, released last week, a command injection vulnerability (CVE-2022-2068) was addressed, though it could not be completely fixed using the previous patch (CVE-2022-1292).
Alas, it turned out that this time the correction again did not go quite according to plan. Information security specialist Guido Vranken explains that OpenSSL version 3.0.4 is “susceptible to a remote memory breach that can be easily exploited by an attacker.”
The expert emphasizes that if this bug can be exploited remotely (there is no certainty on this yet), then it can turn into more serious problems than the known Heartbleed vulnerability (CVE-2014-0160), at least from a technical point of view.
However, Vranken hopes that things are not so bad, and notes that the continued use of the 1.1.1 branch, rather than the third version, may save the situation; libssl forks to LibreSSL and BoringSSL; the short period of time during which version 3.0.4 was available; as well as the fact that the bug only affects x64 systems with AVX512. The fact is that these instructions are only available on some Intel chips released between 2016 and 2022. Let me remind you that this year, Intel began to completely disable support for AVX512 on the 12th generation Intel Core Alder Lake processors.
A fresh bug that could beat Heartbleed and is related to the AVX512 buffer overflow became known six days ago. The problem has now been fixed, although OpenSSL version 3.0.5 has not yet been released.
Interestingly, based on the discussion on GitHub Issues, Tomáš Mráz, developer of the OpenSSL Foundation, is generally confident that this issue should not be classified as a security vulnerability.
Although other experts agree with Mraz’s opinion, there are those who do not share this point of view. For example, Alex Gaynor of US Digital Service claims the opposite: