The cybersecurity industry appears to have dodged a vulnerability bullet.
The OpenSSL Project, developer of widely used open-source software dealing with encrypted communications, issued on Tuesday new patches for two “high-severity” vulnerabilities recently discovered in versions of its cryptographic library.
According to vendors contacted by CRN, the vulnerabilities are serious enough for channel and IT personnel in general to act upon fixes as soon as possible.
But perhaps the real news is that the vulnerabilities were not listed as “critical,” which the OpenSSL Project had initially warned about last week and which caused many companies to brace for a potentially major security crisis involving likely Remote Code Execution (RCE) attacks.
Some also feared something akin to the “Heartbleed bug” in open-source software that was first discovered more than six years ago.
In a blog post Tuesday, however, the OpenSSL Project said it had decided to downgrade the “critical” rating to “high” after consulting with other experts and concluding that the RCE threats could be mitigated.
Though OpenSSL officials last week indicated the existence of only one vulnerability, it also said Tuesday there were actually two vulnerabilities (CVE-2022-3602 and CVE-2022-3786)that impacted OpenSSL 3.0.0 through 3.0.6 and have been addressed in OpenSSL 3.0.7.
“Our security policy states that a vulnerability might be described as CRITICAL if ‘remote code execution is considered likely in common situations.’ We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1st November 2022 before being released to HIGH,” said OpenSSL in its blog post.
“CVE-2022-3786 was NOT rated as CRITICAL from the outset, because only the length and not the content of the overwrite is attacker controlled. Exposure to remote code execution is not expected on any platforms.”
But project officials said there’s still a threat out there, even if it’s been downgraded to “high severity.”
“We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible,” the OpenSSL team wrote on its blog.
“We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post.”
Pete Allor, director of product security at Red Hat, the Raleigh, N.C.-based enterprise software firm built on an open-source model, told CRN that security officials in general “dodged our largest fear” when OpenSSL concluded that the software flaws were not as critical as originally thought.
“It was a big challenge that we were dreading,” he said of how companies reacted to last week’s initial “critical” announcement from OpenSSL. “There was a lot of apprehension.”
He praised the OpenSSL Project for first alerting people about the potential for a major security problem and then explaining why it was downgrading that warning.
Thomas Pace, co-founder and CEO of NetRise Inc., an Austin, Texas-based developer of vulnerability and risk ID offerings for IoT devices, said the OpenSSL Project did the right thing by issuing a preliminary warning – and then downgrading that warning a week later.
Though he said the risk of RCE attacks has been “significantly minimized” by the lower “high” rating, he said some platforms my still be vulnerable to threats.
“I would argue the problem is still huge,” he said. “It’s just not as huge as (initially) thought.”