New OpenSSL vulnerability is dangerous, but very difficult to exploit
While SuSE and BSI see a high risk, the OpenSSL project refers to extensive preconditions for an exploit. No updates are coming for the time being.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Security vulnerabilities in the OpenSSL library usually affect the entire Internet. After all, the collection of encryption functions is used by many applications as the basis for protocols such as HTTPS. The fact that the project has not yet published any patches for a security vulnerability with the potential for code execution is a cause for concern. In fact, the developers have good reasons – the warnings of other security teams, on the other hand, are more alarmist for formal reasons.
The security advisory from the OpenSSL development team, which recently appeared on various mailing lists, read like a routine case. By choosing certain parameters when encrypting with a special group of elliptic curves, a scenario may arise in which unauthorized read and write operations in the main memory can lead to crashes. The OpenSSL developers also cannot rule out the execution of malicious code.
They consider the risk of the gap with the CVE ID CVE-2024-9143 to be low because the error is difficult to exploit. Only applications that use exotic parameters for the elliptic curve (GF(2m)) from user input are theoretically vulnerable – the OpenSSL team therefore refrained from releasing emergency patches for the vulnerability. It exists in OpenSSL versions 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 and is to be fixed in versions 3.3.3, 3.2.4, 3.1.8, 1.0.16, 1.1.1zb and 1.0.2zl, which have not yet been released.
High risk, low risk, or what?
However, both the Linux distributor SuSE and the Computer Emergency Response Team for Federal Authorities (CERT-Bund) at the Federal Office for Information Security (BSI) assessed the risks differently: SuSE awarded a CVSS value of 7 (risk: high), CERT-Bund even awarded 8.1 out of 10 points. When asked about the discrepancy, Johannes Segitz from the SuSE security team explained to heise Security that the CVSS scale struggles with the probability of attack. It always assumes a worst-case scenario, which explains the high score.
Videos by heise
Tomas Mraz from the OpenSSL development team made a similar remark when asked: although the impact of the vulnerability is severe, it is extremely unlikely that an application is vulnerable. The OpenSSL project is not aware of a single vulnerable program. This is how the risk assessment comes about – the CVSS system simply cannot reflect these considerations.
CERT-Bund has not yet commented on its risk assessment, but it can be assumed that the analysts at the BSI assumed a higher impact on the confidentiality and integrity of affected applications than their colleagues at SuSE.
(cku)
