May 12, 2020

Remediating OpenSSL Vulnerabilities

Summary

When an update to OpenSSL is applied, we recommend rebooting your device or computer. This is the best way to ensure that the update has been completely applied.

Because you may not always know when OpenSSL is in use, you must ensure that all updates are consistently applied in a timely fashion to all types of devices, including IoT or embedded devices.

Detail

What is OpenSSL?

OpenSSL is not a program; it is a library which programs can use to provide cryptographic functions. There are other, similar libraries, such as LibreSSL and GnuTLS. These libraries may be loaded with the program, or may be built into the program.

Examples of programs that use OpenSSL are Apache, OpenSSH , and numerous VPN services.

The dynamic linking problem

When one of these programs starts up, it usually loads a copy of the OpenSSL library into memory (this is called “dynamic linking”). If OpenSSL is updated by the operating system, what usually happens is that the on-disk copy is updated, but there may still be copies of the older, vulnerable version in memory and in use by programs. These programs remain vulnerable until they are restarted.

Because it can be difficult to know which programs use OpenSSL, it is safest to just reboot the device.

The static linking problem

In other cases, particularly in embedded or IoT devices, programs may have a copy of OpenSSL built into them, instead of loading them at startup (this is called “static linking”). These programs will remain vulnerable until the vendor issues an updated version of the program.

Unfortunately, it may be difficult or impossible to know when you have such a program, so your best defense is to ensure that you are subscribed to update notifications and always update your device promptly (or have automatic updates turned on, if applicable).

Relevant information

PoC Exploit Released for DoS Vulnerability in OpenSSL

Common Vulnerabilities and Exposures: CVE-2020-1967