Skip to content
BLOG

What you need to know about the OpenSSL 3.0 vulnerabilities

Brock Bingham candid headshot
Brock Bingham|November 3, 2022
OpenSSL 3.0 vulnerabilities featured image
OpenSSL 3.0 vulnerabilities featured image
Sections

OpenSSL, the popular open-source cryptography library, has identified two vulnerabilities affecting its platform. Discover more about this latest security risk, whether it impacts you or your organization, and how to remediate it.

Details regarding the OpenSSL vulnerabilities

Identified as CVE-2022-3602 and CVE-2022-3786, the vulnerabilities were initially rated as critical, though they have since been assigned a “high” severity rating due to several mitigating factors.

The vulnerabilities involve X.509 certificates containing an email address that includes specific Unicode characters, which can cause a buffer overrun with certain versions of OpenSSL. Currently, the vulnerabilities leave the platform susceptible to a denial-of-service attack. It’s theorized that the vulnerabilities can lead to remote code execution, though this has yet to be proven.

Who’s impacted by the OpenSSL vulnerabilities

Currently, the vulnerabilities only affect OpenSSL versions 3.0.0 to 3.0.6. OpenSSL 1.1.1 and 1.0.2 are not impacted, as indicated in the security advisory.

What to do if you are running vulnerable versions of OpenSSL

The OpenSSL project released OpenSSL version 3.0.7 on November 1, 2022, which patches this vulnerability. Users and organizations are encouraged to update to the newest release as soon as possible.

How to find affected endpoints with PDQ Inventory

If you’re unsure if this security advisory impacts you, or if you need to identify vulnerable systems, PDQ Inventory can help. One of our very own PowerShell wizards created a PowerShell script that can be used with the PowerShell scanner in PDQ Inventory to identify vulnerable machines.

Here’s the PowerShell script:

$possibleFilePaths = "C:\Program Files\OpenSSL-Win64\bin\openssl.exe", "C:\Program Files\OpenSSL-Win32\bin\openssl.exe", "C:\Program Files (x86)\OpenSSL-Win32\bin\openssl.exe" foreach ($possibleFilePath in $possibleFilePaths){ if (Test-Path -Path $possibleFilePath){$filepath = $possibleFilePath} } if ($filepath){ Try { $cmd = & $filepath version $cmd = $cmd.Split(" ") $version = $cmd[1] $releaseDate = "$($cmd[2]) $($cmd[3]) $($cmd[4])" $status = "Installed" } Catch { $version = $null $releaseDate = $null $status = "Filepath found, but no version detected. Investigate manually by running the following on the target in Command Prompt: `"$filepath`" version" } } else { $version = $null $releaseDate = $null $status = "Not Installed" $filepath = $null } $output = [PSCustomObject]@{ Version = $version ReleaseDate = $releaseDate Filepath = $filepath Status = $status } return $output

Here’s how to create the PowerShell scanner in PDQ Inventory:

  1. With PDQ Inventory open, click the New Scanner button, then click PowerShell.

    Creating a new scanner in PDQ Inventory image

  2. Give the scanner a descriptive name.

  3. Select Script, then paste the PowerShell script into the script window. You can also save the script as a PS1 file and enter the path to the file.

    Creating a PowerShell scanner in PDQ Inventory image

  4. When you’re finished, click OK, which will close the scanner window and open the New Scan Profile window.

  5. At the New Scan Profile window, enter a name for the new scan profile. You can use the same name you used for the scanner.

    Creating an OpenSSL vulnerability scan profile in PDQ Inventory.

  6. Click OK to save and close the scan profile window.

Here’s how to run the scanner against your computers:

  1. Right-click on All Computers, then click Scan Collection > <OpenSSL_Scanner_Name>.

    Running a scan against computers in PDQ Inventory

  2. You can monitor the status of the scan in the Scan Status column.

    Scan status in PDQ Inventory

  3. After the scan has finished, double click on any computer to open the computer details window.

  4. In the computer details window, click the PowerShell link.

    Opening the PowerShell pane in the computer details window

  5. Click the drop-down menu in the PowerShell window, then select the OpenSSL scanner.

    Locating the correct PowerShell scanner to display

  6. The results of the scan should appear. The scan provides the version number, release date, file path, and installation status. If not installed, the status will indicate Not Installed.

    OpenSSL PowerShell scan results

Now that we have the information in PDQ Inventory, we can generate a report to help us identify vulnerable endpoints.

  1. Click the New Report button, then click Basic Report.

    Creating a basic report in PDQ Inventory

  2. Name the report.

  3. Click into the empty row under the default row, and in the first column, use the drop-down arrow to select the OpenSSL PowerShell scanner.

    Adding a PowerShell scanner row to the report

  4. Click the Filters tab.

  5. Click the Add value filter button.

    Adding a new filter row to the report

  6. Use these settings for the new filter: <PowerShell_OpenSSL_Scanner_Name> > Version > Version Between > 3.0.0 > 3.0.6

    The PowerShell filter criteria to be added to the report

  7. Click Save, then click Run Report.

Saving and running the report

After clicking the Run Report button, PDQ Inventory will generate your report. Here are the results from my report:

OpenSSL report results image

You can use this information to quickly identify which endpoints are vulnerable and need to be updated.

Be cautious, but don’t freak out

There was a lot of panic when this security advisory was first announced. Many assumed these vulnerabilities would be the new Heartbleed 2.0. Thankfully, it’s not as bad as many first speculated. However, as with any vulnerability, ensuring your devices are secure is essential. If you need help keeping your devices up to date, download a free trial of PDQ Deploy and Inventory. With in-depth scanning and automated patching, Deploy and Inventory can help keep computers safe and secure.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles

Security green

What is attack surface management?

SECURITY

Illustration that shows logo of PDQ Connect

PDQ Connect announces custom fields

PRODUCT

Product connect

Inside look: How PDQ’s IT team uses Connect

PRODUCT