Serious OpenSSL vulnerability puts Intel-powered systems at risk

A white padlock on a dark digital background.

(Image credit: Shutterstock.com)

OpenSSL v3.0.4, the latest version of the open-source library for applications that secure communications, seems to be carrying a high-severity bug that could allow exploiters to run malicious code, remotely.

The problem is - there’s no proof of concept, which means it still can’t be considered a fully-fledged vulnerability, and the question remains whether it ever will.

Reports claim this version of OpenSSL carries a memory corruption vulnerability on CPUs with the AVX512 extension (Advanced Vector Extensions 512). The version was released in an attempt to fix an earlier command-injection vulnerability (CVE-2022-2068) which, itself, wasn’t able to fix an even earlier issue - CVE-2022-1292.

High-severity vulnerability, or not?

On GitHub, the explanation is that when ossl_rsaz_mod_exp_avx512_x2(), makes a call off to bn_reduce_once_in_place(), the call includes the value factor_size, which is supposed to be the number of words to process.

However, the old code was sending bit size, which sometimes could result in heap buffer overflow. As the problem can be created via a TLS handshake, remote endpoint abuse is a possibility.

While some researchers believe this warrants a 10/10 severity score, not everyone agrees.

According to security researcher Guido Vranken, this version "is susceptible to remote memory corruption which can be triggered trivially by an attacker."

> Best business laptops: top devices for working from home, SMB and more

> Latest Intel CPUs have 'impossible to fix' security flaw

> AMD forced to fix Spectre patch after Intel reveals flaws

Vranken did add that the 1.1.1 tree of the library is still being used, rather than v3 tree, and that libssl was forked into LibreSSL and BoringSSL, which could complicate things for potential attackers.

Furthermore, the flaw only affects x64 chips with AVX512, making the attack surface that much smaller.

On the other hand, Tomáš Mráz, software developer at the OpenSSL Foundation, doesn’t think this flaw constitutes a security vulnerability.

"I do not think this is a security vulnerability," he said. "It is just a serious bug making [the] 3.0.4 release unusable on AVX512 capable machines."

The flaw has since been fixed, according to The Register, even though OpenSSL 3.0.5 hasn’t been released just yet.

Keep your digital premises secure with the best antivirus programs around

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.