Security experts are giving organizations advance disclosure of a critical vulnerability discovered in OpenSSL version 3.0 and above, leaving many to speculate about the potential impact to their organization.
The OpenSSL project team intends to issue a patch on Tuesday, November 1, for upstream OpenSSL. Such advance knowledge is unique in that it gives teams an opportunity to identify which of their applications are vulnerable before a patch becomes available, but it is also a double-edged sword: It gives bad actors the opportunity to develop targeted ways to attack potential weaknesses in the code before a patch is available. One key element of traditional responsible disclosure processes is that everyone should be on an equal footing, and vulnerability disclosures occur only after patches are created, validated, and made available.
Since we’re still waiting on official patches to be issued, there is increased risk that bad actors could prey on teams scrambling for a patch by posting bogus versions with malware embedded within them. Organizations need to work swiftly but be vigilant to avoid falling victim to spoofed versions. For organizations accustomed to commercial patch processes in which there is a single authoritative vendor, this risk is heightened given how many forks, or branches, of OpenSSL exist. There are also many distribution channels for OpenSSL.
What can incident response teams do right now to prepare for the upcoming patch and changes in the threat landscape?