Insights and Research

Winter is Coming… and so is the OpenSSL Vulnerability

A city skyline with a digital lock

The chilly weather in New York is definitely upon us. And as a typical East Coaster, I am dreading the freezing weather. Winter is coming… and along with that, we’ll also witness the rise of the white walkers an OpenSSL vulnerability. 

On November 1st, 2022, the OpenSSL project team announced a new version of OpenSSL 3.0 (3.0.7) that aims to fix a high-severity vulnerability that affects versions 3.0 and above. Below is the text from the OpenSSL project team: 

“The OpenSSL project team would like to announce the forthcoming release 

of OpenSSL version 3.0.7.

This release will be made available on Tuesday 1st November 2022 between 

1300-1700 UTC.

OpenSSL 3.0.7 is a security-fix release. The highest severity issue 

fixed in this release is CRITICAL”

For more information on the PSA announcement from OpenSSL, read this blog.

In this specific situation, the project has taken a proactive approach and provided the users an advance notice of almost a week to get ahead of it and be prepared. The identified vulnerability affects OpenSSL packages versions 3.0.0 through 3.0.6. Historically, OpenSSL vulnerabilities have massive and immediate implications. Throwback to the Heartbleed vulnerability which caused heartache for many organizations.

Posture control risk engine combined with the workloads vulnerability scanning capabilities allowed us to issue immediate security policies that identify vulnerable instances, with critical alerts on publicly-facing instances that are vulnerable.

How can you ensure that your organization remains safe?

With limited time and resources, now is the best time to take steps to ensure that teams are starting to identify and prioritize the cloud assets that need to be patched and updated. Even without a patch available at this time, it is critical to begin identifying assets so that you’re limiting your risk exposure and are prepared when the patches come out.

The answer to enabling your team is cloud native application protection platform (CNAPP). With CNAPP tools such as Posture Control from Zscaler, customers can prioritize and identify the assets that will need to be addressed. In fact, out of our customers, 12% found immediate results and discovered that they have workload vulnerabilities. What’s worse is that these customers realized that most of the vulnerable workloads were found in specifically public-facing assets.

Interestingly, as this vulnerability affects later versions of the OpenSSL library, the servers that are often patched and updated (such as publicly-facing servers) might actually be more at risk, since they run the later vulnerable versions. Indeed, within our customer base, we found > 90% of the vulnerable workloads to be externally facing (accepting traffic from the internet).

In most situations, public-facing assets or publicly accessible assets take priority as expected. These are followed by mission-critical servers, or those attached with powerful access permissions (via Instance Profile). Bringing context awareness to these searches is key.

Let’s take an example. We can help with specific queries using Posture Control as shown below, this is a quick way to identify cloud assets (from multiple cloud service providers like AWS, Azure, GCP) where we currently have the OpenSSL package running. In addition, we’re also cross-referencing these with power access permission of the instance’s role (i.e they have admin-level privileges). And lastly, if these assets are publicly accessible. This particular example hits all the criteria mentioned to help prioritize and focus on the right assets.

Caption: Using specific queries on Posture Control to identify cloud assets

Once these assets are identified, notifying the asset owners is the critical next step. With most enterprises having ITSM capabilities, we can disseminate this information quickly to the respective owners. 

Caption: Posture Control integrates with ITSM to send immediate alerts.

What are the immediate actions you need to take?

In cloud-native environments where ownership of these assets residing with different teams, these types of events must require coordination across different teams. It is critical to ensure that the teams are aware of these vulnerabilities and are taking appropriate steps to patch these assets in time. 

It is important to monitor the progress of patching these critical systems over time and be notified as these CVEs move from being “non-fixable” to fix. Centralized reporting that these alerts are being cleared is important to ensure that we’re patching as required. 

With Posture Control, you can take a proactive approach to this challenge. Our solution identifies this exact situation and provides an alert around a vulnerable VM within a package. It will additionally share that this VM is publicly exposed which has a higher chance of being exploited. Current Posture Control customers can benefit from this capability today.

Caption: Posture Control reporting is simple and easily digestible

Zscaler is here to help!

Posture Control is 100% agentless and can scan all of your AWS, Azure, and GCP environment to help identify and prioritize the assets that require your attention.

For more information on Posture Control, please reach out to our security experts for a free assessment by requesting a demo here.

Happy patching!

Stay up to date with the latest digital transformation tips and news.