OpenSSL released a patch for high severity vulnerabilities – do operators and vendors of connected devices need to worry?

The short answer is: not about this patch. The effects of CVE-2022-3786 and CVE-2022-3602 on ICS, IoT, and IoMT devices are negligible. But the long answer is more complex than this.

But first things first:

OpenSSL released an announcement on October 25th, 2022 that their upcoming release of OpenSSL 3.0.7 will contain patches of critical vulnerabilities, giving a head-start to affected organizations to schedule maintenance windows and to prepare for rapid patching of affected systems.

Further investigations into CVE-2022-3602, a 4-byte buffer overflow when parsing email addresses containing puny code in X.509 certificates, in the week preceding the release did not confirm initial assumptions about the likelihood of exploitability in common configurations. Thus, the severity was lowered to “high” as common stack layouts and modern stack overflow protections reduce the impact of the issue.

The two vulnerabilities patched in OpenSSL 3.0.7 affect the OpenSSL 3 branch, versions 3.0.0 through 3.0.6.

Having analyzed tens of thousands of firmware images of connected devices, and having automatically generated the software bill of materials (SBOM) for these devices, we were naturally interested about the effects this vulnerability would have on the security of these devices. OpenSSL is a common library, also used in connected devices to support encrypted communication. But OpenSSL 3 is not.

OpenSSL 3 was released just over a year ago, on September 7, 2021. Any firmware images released before this date, therefore cannot contain OpenSSL 3, and therefore cannot be affected by these vulnerabilities (but will likely be affected by many other vulnerabilities). We have investigated the distribution of OpenSSL versions and OpenSSL 3 is used by less than 0.1% of devices:

While device vendors and operators of connected devices don’t have to wake up at night for OpenSSL 3 related security issues, this investigation uncovered other worrying facts:

  • Only 25% of devices run on a supported OpenSSL branch (1.1.1 or 3.0) – assuming that 38% of devices running OpenSSL 1.0.2 are not covered by extended LTS.
  • The oldest OpenSSL version we observed was 0.9.2, which was released in 1999
  • Less than 5% of devices use an OpenSSL version newer than one year (not considering backported patches)

But why is this?

Aside from a general difficulty to keep dependencies and systems up to date, where vendors of connected devices are no exceptions, popular Linux distributions play an important role too:

  • OpenWRT switched to OpenSSL 1.1.1q in its 22.03.0-rc6 release, which was published on August 2nd, 2022.
  • Yocto recently switched from OpenSSL 1.1.1l to OpenSSL 3.0.2 in their 4.0 (kirkstone) release, which was published in April 2022.
  • Android only includes OpenSSL bindings for Rust

For OpenSSL, it is common to be statically linked into other products. Vendors relying on 3rd party SDKs or libraries who have OpenSSL included may not even be aware of this fact.

In the ICS and IoT world, we may have been lucky this time, not to be affected by CVE-2022-3786 and CVE-2022-3602. But with LTS of OpenSSL 1.1.1 ending in less than a year on September 11th, 2023, this should serve as a wakeup call that we need to get our dependencies in order and keep our software bill of material (SBOM) up to date. 

A first step to tackle this issue is to gain visibility into your and your supply-chain’s dependencies. We’re ready to help!

About ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management. The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

Integrated compliance checking already covers the upcoming EU Cyber Resilience Act and existing requirements according to IEC62443-4-2, EN303645, UNR155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de