The cyber security community was deeply engrossed this week in the news that OpenSSL, the organization responsible for the software package that encrypts and secures communications across much of the internet, was about to release a patch for a newly discovered “Critical” vulnerability.
The original announcement on October 25th was met with a cyclone of reaction and commentary from security experts. However, after a few tense days of speculation, OpenSSL downgraded the vulnerability rating to “High” before publicly releasing details of the security flaw and the patch on November 1, 2022. Despite the lowered rating, and while the issue is turning out not to be the crisis that many experts had feared, this is still considered a potentially major security issue and it is important to understand it and take remedial action where necessary.
This blog will explain what OpenSSL is used for, the commotion caused by the announcement this week, what it means for your OT network’s cyber security, and offer SCADAfence’s analysts advice for protecting your network from the vulnerabilities.
Securing Communications Across The Internet from Vulnerabilities
As the name implies, OpenSSL is an open source project maintained by volunteers. Its primary purpose is to secure communication across the Internet by creating encrypted channels that allow digital information to travel between endpoints securely. First released in 1998, it is considered a very mature and secure product and is widely in use by thousands of software development companies worldwide. Most services and websites whose URLs start with “https” are relying on a version of OpenSSL.
In 2014, OpenSSL captured headlines when a critical vulnerability branded Heartbleed was first identified. Heartbleed is a flaw in OpenSSL’s ‘Heartbeat’ extension that could be exploited to send a seemingly legitimate message which would fool a computer into revealing secret information such as passwords and credit card numbers. For many observers, the recent vulnerability was reminiscent of the Heartbleed critical vulnerability and there was some concern that this could be a repeat of that episode.
OpenSSL Announces A “High” Vulnerability
This latest vulnerability was reported to OpenSSL by a user on October 17th, 2022. Upon initial review, the organization assigned it an internal rating of “critical”. On October 25th, they quietly announced that they would soon be releasing a product upgrade to address a recently discovered security flaw. One week later, they released full details of the vulnerability and the patch.
It’s important to note that this security flaw only affects the newest version of OpenSSL, version 3.0.0 to 3.0.6., released just over a year ago in September, 2021. The patch is being shipped in version 3.0.7. Older versions of the software are not affected.
The risk posed by these new vulnerabilities, CVE-2022-3602 and CVE-2022-3786 is that they could be weaponized by malicious actors to launch Distributed Denial of Service (DDoS) attacks or Remote Code Execution (RCE).
The OpenSSL project explained that they downgraded the flaw’s rating from “Critical” to “High” because during the week of pre-notification, as additional testing was done, it was determined that exploiting this vulnerability would be very difficult, and they consider it a highly unlikely possibility and therefore they downgraded the rating.
The Impact for OT/ICS Networks’ Cyber Security
Luckily, the impact of this vulnerability on OT networks is so far expected to be limited. Since, as stated above, the vulnerability is only relevant to products using OpenSSL version 3, older OT/ICS devices using earlier versions of the software library are not going to be affected.
According to SCADAfence CTO Paul Smith, “We have reviewed the High vulnerabilities announced this week by OpenSSL and believe the impact on the traditional OT world will be minimal as most client side interfaces are still running legacy versions and tend to not have trusted authority signed certificates for the on-premise equipment.”
Overall we expect OT networks to experience very limited impact or disruption. Because the version of OpenSSL under discussion is relatively new, there are only a handful of OT and IIoT devices that are using it. Most organizations in the critical infrastructure and manufacturing sectors will have very few deployed assets that will be affected by this announcement. Given the very recent release date, older appliances with older OpenSSL versions are unlikely to be vulnerable due to the fact that most organizations use self-signed certificates on their equipment and not from a 3rd party trusted signing authority.
“Additionally, as with all newly announced vulnerabilities, SCADAfence’s product team has reviewed and assessed any potential impact on SCADAfence customers. Users of the SCADAfence Platform do not have exposure to the latest OpenSSL version 3.X vulnerability as we do not utilize any of these versions in our products. Furthermore the vulnerability is directly related to client side signed certificates and these certificates require a compromised trusted signing authority,” said Smith.
As of now, OpenSSL says there is no evidence that the new vulnerabilities are being exploited by threat actors in the real world. There have been no reported attacks based on this vulnerability. OpenSSL confirms in their official advisory, and in a blog post on the day the patch was released, “we are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited.”
As always it is important to stay aware of the latest potential cyber security threats and how they may impact your organization and apply the latest security patches on deployed assets on your network, if possible.
The SCADAfence Platform recently released a new feature, Tailored Threat Intelligence which creates a custom feed of news and intelligence specifically for your OT network, containing information most important to you. This feature helps you understand the relevancy of reported vulnerabilities and their potential impact on your network in an ongoing, real time manner and provides a custom relevancy score for each news item or event.
If you have any specific questions about how your organization may be affected by the OpenSSL vulnerabilities, please contact us at email@example.com, or request a demo of the SCADAfence Platform.
SCADAfence will update this blog with additional information as it becomes available.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.