What to know and do about this week’s OpenSSL vulnerability
There’s a lot still unknown about this week’s OpenSSL vulnerability, until further details are released on Tuesday November 1st. But there’s already noise and concern, and also an opportunity to get prepared ahead of the details.
OpenSSL is an open source cryptography library that is very widely used in a range of commercial and internal applications to provide encryption and other security and privacy capabilities. It’s found in applications that are deployed on-premises, in the cloud, in SaaS applications, on endpoints, on servers, in IOT or OT environments, and more. So, the potential for disruption is high when there is a serious flaw in OpenSSL.
What is the issue in OpenSSL?
The details are not known at this time (but we will update this blog once further details are released). The OpenSSL Project team has indicated that the vulnerability is “critical”, and affected versions will require patching to a new version 3.0.7 or higher. It’s only the second time that OpenSSL has had a vulnerability labeled “critical” (the first one being in September 2016). Vulnerabilities at this severity level “affect common configurations and […] are also likely to be exploitable.”
There is some good news, however: this week’s security issue is only affecting OpenSSL version 3.0 and higher, which will limit the scope of affected applications. Version 3.0 was only released just over a year ago, on September 7, 2021, and many applications are still using older versions that do not contain this new flaw.
Even if an application is using OpenSSL 3.0 or higher, it’s possible there are situations where an application remains safe from exploitation of the new flaw, as perhaps the vulnerability isn’t exposed in every circumstance. Further information is needed before this can be properly assessed.
How can you prepare?
While details remain unknown, there are still steps you can take ahead of Tuesday’s update.
1. Don’t panic: There are many applications still using OpenSSL versions earlier than 3.0, and these are unaffected. It’s extremely unlikely you will face issues in all of your applications.
2. Find internal applications using OpenSSL 3.0 or higher: Now is a great time to identify any internal applications (e.g. custom applications built by your employees or contractors) that are using affected versions of OpenSSL. You can leverage an existing “software bill of materials” (SBOM), or run a scan in your company’s source code repositories. Once further details are known, you’ll be able to assess impact more quickly, focusing on assessing whether the vulnerability is exploitable in each application’s case.
3. Prepare to check 3rd party vendor status: Many 3rd party applications use OpenSSL, and you will want to query vendors for applications you use, whether on-premises or SaaS, in order to understand how they are affected.
4. Prepare to patch: Expect that some of your in-house and 3rd party applications will require urgent patching. Consider prioritization based on your inventory, and anticipate the need for extra resources to focus on patching in the near-term.
5. Prepare to temporarily take some applications offline: If the vulnerability details reveal serious risk to your company’s operations or data, and patches are not available in a timely fashion, it may be necessary to take these applications offline temporarily. There is no need to take this step now, but the possibility is worth advance thought.
6. Consider mitigations once further details are known: It’s too soon to know what mitigations will be effective beyond patching. It’s possible that technologies such as Intrusion Prevention Systems (for example, Trend Micro’s TippingPoint) or Host Intrusion Prevention Systems (for example the virtual patching features found in Trend Micro’s Cloud One and Apex One endpoint security products) may be effective against exploitation of this OpenSSL vulnerability, but until further details are released, Trend Micro does not know if these mitigations are effective. It’s also possible that exploitation would be visible in Extended Detection and Response (XDR) or Endpoint Detection and Response (EDR) products, but again it is too soon to tell.
Are Trend Micro Products Affected?
Trend Micro does not yet know if its products are affected by the OpenSSL 3.0 vulnerability, as more details are needed in order to complete this review.
An initial knowledge base has been published here and will be updated as more information becomes available.