Healthcare Sector Urged to Address OpenSSL FlawsEntities Should Identify Where OpenSSL Exists in Infrastructure, Apply Fixes
Healthcare organizations should be ready to find and patch instances of OpenSSL 3.0, warn cybersecurity experts.
The open source project behind the secure communications application released Tuesday a patch for two vulnerabilities it rated as high risk after setting much of the cybersecurity world on fire when a week ago it said one of the bugs posed "critical" levels of risk.
The last time the OpenSSL Project released a critical path was Heartbleed (see: Not Heartbleed: OpenSSL Vulnerability Not 'Critical' Anymore).
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center warned the healthcare sector ahead of today's patch to be on the lookout for it. OpenSSL says none of the vulnerabilities appear to have been exploited in the wild.
Dustin Hutchison, CISO and vice president of services security firm Pondurance, tells Information Security Media Group he's glad the vulnerabilities were downgraded. Healthcare organizations should still take action, he says.
"Healthcare organizations rely heavily on third party connectivity, so leveraging this issue as a reason to create or update a solid inventory of not only hardware, software, third party libraries, and third-party vendors, but also data flows and connection details is a great step."
Also, the level of risk that a security vulnerability poses to a healthcare organization can also depend upon the type of product affected, says Kevin Fu, associate professor and founder of the Archimedes Center for Healthcare and Device Security at the University of Michigan. "The level of risk for OT products, such as a medical device, could be much higher than it is for IT products," says Fu, a former medical device cybersecurity adviser at the Food and Drug Administration.
Ben Denkers, chief innovation officer at security and privacy consultancy firm CynergisTek, part of Clearwater, says an organization's ability to patch the vulnerabilities is a larger measure of its maturity. "These vulnerabilities really test the organization’s capabilities in terms of understanding what their potential exposure is. The better an organization is at keeping an updated Configuration Management Database, the easier it becomes to identify."
Most organizations struggle with their ability to keep an updated configuration management database, he adds.
Versions of OpenSSL 3.0.0 to 3.0.6 are vulnerable. The group advises users to upgrade to OpenSSL 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Most users of OpenSSL - which does not include major web browsers - operate on older versions, given that version 3 is little more older than one year.
"You're pretty bleeding edge if you're using OpenSSL 3," says Chester Wisniewski, Sophos principal research scientist.
OpenSSL is an open-source cryptographic library used with many of the most common operating systems and applications to implement transport layer security for securely communicating networked servers.
"OpenSSL is deployed across industries ubiquitously, including the health sector," HHS HC3 says.
OpenSSL in its announcement described one of the vulnerabilities - CVE-2022-3602 - the vulnerability initially advertised as critical - as involving a 4 byte buffer flow tied to certificate validation. The buffer overflow could potentially result in remote code execution or an operating system crash.
"An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack," OpenSSL says. It also notes that many modern operating system have stack overflow protections which would mitigate against the risk of remote code execution.
The other vulnerability, CVE-2022-3786, also hinges on a buffer overrun triggered certificate verification but can only trigger an computer crash.
"An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack," OpenSSL says.