The OpenSSL Project tomorrow is scheduled to release version 3.0.7 of the popular open source encryption library that patches a critical vulnerability, the first disclosed and addressed by OpenSSL in six years.
The project's maintainers have not provided any substantial details as of yet on the vulnerability.
OpenSSL is everywhere within IT, operational technology, and connected embedded systems. Commercial and homegrown software projects include OpenSSL as their cryptographic key solution.
The affected version—3.0—was released in 2021 and is less likely to be deployed in OT environments and within critical infrastructure given their slower update cycles.
The last critical vulnerability publicly disclosed and patched by OpenSSL was in September 2016 when an emergency security update addressed a flaw introduced by an earlier update. The patch in question introduced a dangling pointer vulnerability that could lead to server crashes or remote code execution.
2014’s Heartbleed vulnerability is one of the biggest internet-wide bugs of the 21st century. Heartbleed leaked memory to any client or server that was connected, and that exposed servers to attack. It also kicked off a major patching frenzy at the time as administrators scrambled to understand where OpenSSL was deployed within their infrastructure, and whether it could be updated before exploits were made public.
It also caused OpenSSL’s handlers and the maintainers of other ubiquitous open source projects to scrutinize the security of their code and how users are impacted. Therefore, it’s critical for organizations to get ahead of this potential patching effort. The SANS Institute today published a blog recommending that in many cases, the OpenSSL command utility below would reveal whether OpenSSL 3.0 is in use.
% openssl version
SANS Institute also published a list of affected Linux distributions, which is relatively few. MacOS users are not affected because the OS users LibreSSL by default. Other software, however, may later have installed OpenSSL, according to SANS.
The National Cyber Security Centrum (NCSC-NL) is also maintaining a list of software affected by the vulnerability that users are urged to monitor.
Users should expect OpenSSL to release its update between 1 p.m. and 5 p.m. UTC.
CWE-23 RELATIVE PATH TRAVERSAL:
An 'Arbitary File Deletion' in Samsung DMS (Data Management Server) allows attackers to delete arbitary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.1
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
An 'Arbitary File Creation' in Samsung DMS (Data Management Server) allows attackers to create arbitary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.2
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Samsung DMS (Data Management Server) allows authenticated attackers to create arbitary files in unintended locations on the filesystem.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.1
CWE-36 ABSOLUTE PATH TRAVERSAL:
Absolute Path Traversal in Samsung DMS (Data Management Server) allows authenticated attacker (Administrator) to read sensitive files.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 4.9
CWE-502 DESERIALIZATION OF UNTRUSTED DATA:
Deserialization of Untrusted Data in Samsung DMS (Data Management Server) allows attackers to execute arbitary code via write file to system.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.0