At a glance.
- OpenSSL patches high-severity vulnerabilities.
- ICS security report.
- DNS threats.
OpenSSL patches high-severity vulnerabilities.
The OpenSSL Project has released patches for two high-severity vulnerabilities in OpenSSL versions 3.0.0 and above. The threat was initially described as "critical," and Akamai notes that observers are taking it very seriously due to the rarity of a critical flaw in OpenSSL. The OpenSSL Project stated today that "Further analysis based on some of the mitigating factors...have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible."
The first vulnerability (CVE-2022-3602) could cause a denial-of-service or lead to remote code execution:
"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.
"Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler."
The second vulnerability (CVE-2022-3786) could be used to trigger a denial-of-service:
"An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).
"In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects."
Researchers at Nucleus point out that while the vulnerabilities are serious, the threat may not be as widespread as some headlines suggested, since most organizations are still running OpenSSL 1.x or 2.x.
Nucleus states, "According to many prominent voices in the space, not a lot of organizations are going to find themselves in OpenSSL 3.x+ (the versions of OpenSSL affected by this vulnerability), unless they have machines spun up with newer technologies, such as RHEL 9 and Ubuntu 22.04 which already have OpenSSL3.0 bolted on. If that’s the case and you’re currently running OpenSSL3.x in production, the critical rating of severity determined by the OpenSSL team strongly indicates the possibility that this could be a remote-enabled exploit of the OpenSSL software."
ICS security report.
The SANS 2022 OT/ICS Cybersecurity Report, sponsored by Nozomi Networks, was released late last week. The survey indicates that OT cybersecurity has improved compared to last year’s survey:
- “62% of respondents rated the risk to their OT environment as high or severe (down slightly from (69.8% in 2021).
- “Ransomware and financially motivated cybercrimes topped the list of threat vectors (39.7%) followed by nation-state sponsored attacks (38.8%). Non-ransomware criminal attacks came in third (cited by 32.1%), followed closely by hardware/software supply chain risks (30.4%).
- “While the number of respondents who said they had experienced a breach in the last 12 months dropped to 10.5% (down from 15% in 2021), 35% of those said the engineering workstation was an initial infection vector (doubling from 18.4% last year).
- “35% did not know whether their organizations had been compromised (down from 48%) and 24% were confident that they hadn’t had an incident (a 2x improvement over the previous year)
- “In general, IT compromises remain the dominant access vector (41%) followed by replication through removable media (37%)”
DNS threats.
Akamai’s DNS Threat Report for Q3 2022 has found that 14% of devices connected with a malicious destination at least once during the quarter. The researchers state, “Breaking down these potentially compromised devices further, 59% of the devices communicated with malware or ransomware domains, 35% communicated with phishing domains, and 6% communicated with command and control (C2) domains.”
Akamai adds, “Comparing 2022 Q3 results with 2022 Q1 and Q2 results, we can see stability across all categories with some increase on the C2 front. Since we are not able to attribute this increase to a specific attack campaign, we are attributing it to seasonal changes in the threat landscape. It’s also possible that the increase can be attributed to an increase in vulnerable devices.”
The report also looked at phishing kits, finding that the most impersonated brands were Adobe and M&T Bank:
“According to Akamai research that tracked 299 different phishing toolkits being used in the wild to launch new attack campaigns, in Q3 2022, 2.01% of the tracked kits were reused on at least 63 distinct days (Figure 5). Further, 53.2% of the kits were reused to launch a new attack campaign on at least five days, and 100% of the tracked kits were reused on no fewer than three distinct days over Q3.”