Updated: Nov 20
How Team Cymru products help you discover and manage the impact and risk
On November 1st, 2022, version 3.0.7 of OpenSSL was released to patch a high vulnerability, at the time of writing it was as yet undisclosed.
Published as X.509 Email Address 4-byte Buffer Overflow with accompanying CVE-2022-3602 and CVE-2022-3786, this vulnerability allows an attacker to craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack.
The specific CVE-2022-3602 vulnerability, if exploited, could result in a crash (causing a denial of service) and/or remote code execution.
What is being advised?
Upgrading to OpenSSL 3.0.7 as soon as possible is being advised for users of OpenSSL 3.0.0 - 3.0.6.
How to assess risk using Team Cymru products
Team Cymru has two products that enable organisations to assess and quantify this vulnerability, and measure risk to both their own, and third parties.
Starting with Pure Signal Orbit, our Attack Surface Management platform. With a combination of Asset Management, Vulnerability Management, Business Risks and Threat Intelligence, it is the most fully featured product on the market that finds assets, reveals vulnerabilities and alerts to threats at unmatched speed and scale.
This puts you at a distinct advantage when facing celebrity vulnerabilities and reacting to alerts of high or critical patches.
Assessing the Attack Surface & External Digital Assets for OpenSSL 3.x Vulnerabilities
How to use Pure Signal Orbit to find impact assets and quantify impact of the Open SSL 3.0.7.
After logging in, go to Vulnerability Management, then follow these two alternative steps:
From the Pure Signal Orbit Dashboard
Move your cursor to the bottom right of the dashboard as shown below, and click on the box that highlights OpenSSL Less Than 3.0.7 Critical Vulnerability.
Figure 1 - where to find the Vulnerability alerts in the Orbit dashboard
You will see this box in the lower right corner of the Pure Signal Orbit Dashboard.
Figure 2 - the OpenSSL v3.0 Vulnerability alert in the Orbit dashboard
You will then see a list of impacted assets, where you can click through as see specifics such as Environment, Business Risk score, any other Vulnerabilities that may be present, in addition to our helpful response guides.
From the Vulnerability Management view
Log in to your Pure Signal Orbit dashboard and select ‘Vulnerabilities’, and then select ‘Vulnerability Types’ shown below.
In the search box shown below, type the following: “OpenSSL” or “CVE-2022-3786” or “CVE-2022-3602” (not currently live in this view yet)
Figure 3 - where to find the the search tool within the Orbit dashboard
You will now be presented with the list of assets impacted by Open SSL Critical Vulnerability, and can take action in order of priority using our integrated Total Asset Risk score that combines CVE weightings in addition to Business Risk scores.
Threat Reconnaissance technique for assessing potential OpenSSL risk from vulnerable third parties
Pure Signal Recon is our analysts portal into the world’s largest data ocean designed specifically for Threat Intelligence. By ingesting over 200bn daily internet connections, Pure Signal data is unmatched in size and scale to gain visibility into third party risks, and very effective at making discoveries when vulnerabilities are announced..
How to use Pure Signal Recon to find impact assets and quantify impact of the Open SSL 3.0.7.
After logging in, run a Query, include the following:
Specify your timeframe - i.e. previous 7 days
Specify the IP addresses or ranges of IP’s of interest
There are 2 primary data sets that will contain this information - “Open Ports” and “NMAP Open Ports”
Use the post query filters and search for “OpenSSL/3” to identify any vulnerable versions of OpenSSL
You can apply the following variations:
Post Filter: Data = “OpenSSL/3”
Post Filter: Version = “OpenSSL/3”
Results will be returned within the confines of the argument and any further filters you have applied.
Figure 4 - Sample results from running an OpenSSL v3.0 query from within the Recon dashboard
We hope both these examples for discovering OpenSSL v3.0 vulnerabilities across Pure Signal Orbit and Recon are useful.
If you have any questions or queries we have a range of options to get you in front of our experts quickly.