By 
Highlights:
- The OpenSSL project, the very basic element of the secured internet we all know, announced patching a critical severity security vulnerability
- Because OpenSSL is so widely used, the potential magnitude of this vulnerability is enormous, hence the urgency to patch and update systems
- Check Point Researchers are closely monitoring this evolving story and is sharing as much information as possible to ensure customers and partners are prepared
Background
In an official statement last Tuesday (25 October), the OpenSSL project team announced the forthcoming release of their next version, which will be released on Tuesday November 1st 2022 which is expected to include a fix for a CRITICAL security vulnerability.
The OpenSSL Project defines a critical vulnerability as follows:
“CRITICAL Severity. This affects common configurations which are also likely to be exploitable…”
RELATED: Check Point Software reports 42% global increase in cyber attacks with ransomware as No.1 threat
A tense week-long wait has come to an end, with two new critical vulnerabilities in OpenSSL announced. These vulnerabilities can be tracked as CVE-2022-3602 (remote code execution) and CVE-2022-3786 (Denial of Service). These two vulnerabilities affect OpenSSL versions 3.0.0 – 3.0.6 and are patched in the most recent release of version 3.0.7.
What is OpenSSL?
OpenSSL is a commonly used code library designed to allow secured communication over the internet. Simply put, whenever we browse the internet, the Web site we browse or the online service we access use OpenSSL at its very basic level.
What happens now?
Check Point researchers are working with the company’s worldwide operation to ensure that all their clients have the best protection as soon as possible. Check Point Research (CPR) will also share insights on what is the impact of possible exploitation as more information becomes available.
What about tech vendors?
It is time for the tech industry to upgrade all vulnerable products with the fix, so their clients do not have to worry about threat actors who are working to weaponize the information gathered on these vulnerabilities. But this is not an easy task, so it will take some time for some vendors.
Here you can view the list of vulnerable and non-vulnerable software – https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software?s=08
From SolarWinds to Log4j and now the OpenSSL vulnerability, Check Point Research is seeing an exponential increase in the rate and sophistication of cyberattacks globally. OpenSSL is the industry’s foundation for securing the internet – enabling communications across email, Web sites, and Web apps to be secure – which makes this threat especially dangerous.
Whatever happens in the cybersecurity space – any new vulnerability, threat, or malicious activity – we, at Check Point are there to protect you with the BEST security you deserve.
“OpenSSL has just put an end to the week-long wait around the critical vulnerability. The revelation is that this vulnerability is capable of remote code execution, posing high-risk for any SSL-encrypted product. We are all now in a security race. Check Point will provide a virtual patch to give our technology vendors the proper time to update their open SSL libraries. Users should be protected until further updates are available,” said Lotem Finkelsteen, Director Threat Intelligence and Research at Check Point.
Emergency Response Hotline
If you think your organisation has been breached or is under attack, do contact Check Point’s Incidence Response services
In addition, our worldwide Technical Assistance Centres are available to assist you 24 x 7.
