In one look.
- OpenSSL fixes very serious vulnerabilities.
- ICS Safety Report.
- DNS threats.
OpenSSL fixes very serious vulnerabilities.
The OpenSSL project has published fixes for two very serious vulnerabilities in OpenSSL versions 3.0.0 and above. The threat was initially labeled as “critical”, and Akamai Remarks that observers take it very seriously due to the rarity of a critical flaw in OpenSSL. The OpenSSL Project said today that “Further analysis based on some of the mitigating factors…has led to it being downgraded to HIGH. Users are always encouraged to upgrade to a new version as soon as possible.”
The first vulnerability (CVE-2022-3602) could cause a denial of service or lead to remote code execution:
“A buffer overflow can be triggered in X.509 certificate verification, particularly in name constraint verification. Note that this occurs after the certificate chain signature verification and requires either a certificate authority has signed the malicious certificate, or the application continues to verify the certificate despite the failure to construct a path to a trusted issuer An attacker can create a malicious email address to overflow four controlled bytes by the attacker on the stack. This buffer overflow could lead to a crash (causing a denial of service) or potentially remote code execution.
“Many platforms implement stack overflow protections that would mitigate the risk of remote code execution. The risk can be further mitigated depending on the stack layout for a given platform/compiler. “
The second vulnerability (CVE-2022-3786) could be used to trigger a denial of service:
“An attacker can create a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack This buffer overflow could cause a crash (causing a denial of service).
“In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.”
Researchers at Nucleus report that while the vulnerabilities are serious, the threat may not be as widespread as some headlines suggested, since most organizations are still using OpenSSL 1.x or 2.x.
Nucleus states: “According to many prominent voices in the field, few organizations will end up in OpenSSL 3.x+ (the versions of OpenSSL affected by this vulnerability), unless they have machines running more If this is the case and you are currently using OpenSSL3.x in production, the critical severity rating determined by the OpenSSL team strongly indicates the possibility that this could be a remote exploit of OpenSSL software.”
ICS Safety Report.
The SANS 2022 OT/ICS Cybersecurity Report, sponsored by Nozomi Networks, was released late last week. The survey indicates that OT cybersecurity has improved compared to last year’s survey:
- “62% of respondents rated the risk to their OT environment as high or severe (slightly down from (69.8% in 2021).
- “Ransomware and financially motivated cybercrime topped the list of threat vectors (39.7%), followed by attacks sponsored by nation states (38.8%). Non-ransomware criminal attacks come third (cited by 32.1%), followed closely by hardware/software supply chain risks (30.4%).
- “While the number of respondents who said they had experienced a breach in the past 12 months fell to 10.5% (from 15% in 2021), 35% of them said that the workstation of engineering was an initial infection vector (compared to 18.4% last year).
- “35% were unsure if their organization had been compromised (compared to 48%) and 24% were confident they had not had an incident (a 2x improvement from the previous year)
- “In general, IT compromises remain the dominant access vector (41%) followed by replication via removable media (37%)”
Akamai’s DNS Threat Report for Q3 2022 has found that 14% of devices connected to a malicious destination at least once during the quarter. The researchers state, “Breaking down these potentially compromised devices further, 59% of devices were communicating with malware or ransomware domains, 35% were communicating with phishing domains, and 6% were communicating with command and control domains (C2 )”.
Akamai adds, “Comparing Q3 2022 results with Q1 and Q2 2022 results, we can see stability across all categories with some increase on the C2 front. As we are unable to attribute this increase to a specific attack campaign, we attribute it to seasonal changes in the threat landscape. It’s also possible that the increase could be attributed to an increase in vulnerable devices.
The report also looked at phishing kits and found that the most spoofed brands were Adobe and M&T Bank:
“According to Akamai research that tracked 299 different phishing toolkits used in the wild to launch new attack campaigns, in Q3 2022, 2.01% of tracked kits were reused for at least 63 separate days (Figure 5). Additionally, 53.2% of kits were reused to launch a new attack campaign on at least five days, and 100% of tracked kits were reused on no less than three separate days during Q3. »