{"id":7421,"date":"2021-09-28T12:49:09","date_gmt":"2021-09-28T19:49:09","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7421"},"modified":"2023-04-20T02:26:28","modified_gmt":"2023-04-20T09:26:28","slug":"critical-openssl-vulnerabilities-affecting-linux-and-nas-devices","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/critical-openssl-vulnerabilities-affecting-linux-and-nas-devices\/","title":{"rendered":"Critical OpenSSL Vulnerabilities affecting Linux and NAS devices"},"content":{"rendered":"<p>On August 24, 2021, Taiwan-based network-attached storage device manufacturer, Synology, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/synology-multiple-products-impacted-by-openssl-rce-vulnerability\/\" target=\"_blank\" rel=\"noopener\">reported<\/a> remote code execution (RCE) and denial of service (DoS) OpenSSL vulnerabilities that impacted its products. This news comes in the wake of <a href=\"https:\/\/threatpost.com\/ech0raix-ransomware-variant-qnap-synology-nas-devices\/168516\/\" target=\"_blank\" rel=\"noopener\">eCh0raix ransomware attacks<\/a> on QNAP NAS devices between April and June 2021 and on Synology devices since 2019.<\/p>\n<p>Initially, it was unclear how many organizations and products would likely be affected by the flaws. However, soon after, tech giants including <a href=\"https:\/\/www.qnap.com\/en-in\/security-advisory\/qsa-21-39\" target=\"_blank\" rel=\"noopener\">QNAP<\/a>, <a href=\"https:\/\/www.alpinelinux.org\/posts\/Alpine-3.14.2-released.html\" target=\"_blank\" rel=\"noopener\">Alpine Linux<\/a>, <a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2021-3711\" target=\"_blank\" rel=\"noopener\">Debian<\/a>, <a href=\"https:\/\/access.redhat.com\/security\/cve\/cve-2021-3711\" target=\"_blank\" rel=\"noopener\">Red Hat<\/a>, <a href=\"https:\/\/www.suse.com\/security\/cve\/CVE-2021-3711.html\" target=\"_blank\" rel=\"noopener\">SUSE<\/a>, and <a href=\"https:\/\/ubuntu.com\/security\/CVE-2021-3711\" target=\"_blank\" rel=\"noopener\">Ubuntu<\/a> issued security advisories to inform customers about the impact of the two vulnerabilities.<\/p>\n<p dir=\"ltr\">Tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-3711\" target=\"_blank\" rel=\"noopener\">CVE-2021-3711<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-3712\" target=\"_blank\" rel=\"noopener\">CVE-2021-3712<\/a>, the OpenSSL vulnerabilities allow attackers to take over the flow of an application entirely by tricking it into thinking it has succeeded or failed to execute.<\/p>\n<h2 dir=\"ltr\"><strong>Recent Developments<\/strong><\/h2>\n<h2 dir=\"ltr\"><strong>New OpenSSL vulnerability<\/strong><\/h2>\n<p>On March 15, 2022, OpenSSL shipped patches for a high severity Denial of Service vulnerability that affects its software library. Dubbed as <a href=\"https:\/\/www.openssl.org\/news\/secadv\/20220315.txt\">CVE-2022-0778<\/a> with a CVSS v3 score of 7.5. The flaw affects OpenSSL versions 1.0.2, 1.1.1, and 3.0; was fixed in the released versions of 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. Although OpenSSL 1.1.0 is vulnerable, it will not be patched since it is has reached the end of life. While this vulnerability can be definitely weaponized, <a href=\"https:\/\/twitter.com\/NSA_CSDirector\/status\/1505888869157384199\">NSA<\/a> urges users to patch this vulnerability immediately.<\/p>\n<h2 dir=\"ltr\"><strong>Our Findings<\/strong><\/h2>\n<p dir=\"ltr\"><strong>CSW researchers studied the OpenSSL vulnerabilities and their impact. Here is our analysis:<\/strong><\/p>\n<p><strong>CVE-2021-3711<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-3711\" target=\"_blank\" rel=\"noopener\">CVE-2021-3711<\/a> is a heap-based SM2 buffer overflow vulnerability that leads to crashes and also allows attackers to execute arbitrary code.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Categorized under the weakness enumeration, CWE-120 (Buffer Copy without Checking Size of Input (Classic Buffer Overflow)), the critical severity vulnerability has a CVSS v3 score of 9.8.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerability affects OpenSSL versions 1.1.1 and 1.1.1K. The flaw has been <a href=\"https:\/\/www.openssl.org\/news\/openssl-1.1.1-notes.html\" target=\"_blank\" rel=\"noopener\">fixed<\/a> in v1.1.1J.<\/p>\n<\/li>\n<\/ul>\n<p><strong>CVE-2021-3712<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-3712\" target=\"_blank\" rel=\"noopener\">CVE-2021-3712<\/a> is a read buffer overrun vulnerability that can be used by attackers to crash vulnerable apps in denial of service (DoS) attacks or gain access to memory contents or sensitive information using private keys.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Categorized under the weakness enumeration, CWE-125 (Out-of-bounds Read), the high severity vulnerability has a CVSS v3 score of 7.4.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerability affects OpenSSL versions 1.1.1 and 1.1.1K. The flaw has been <a href=\"https:\/\/www.openssl.org\/news\/openssl-1.1.1-notes.html\" target=\"_blank\" rel=\"noopener\">fixed<\/a> in v1.1.1J.<\/p>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" style=\"width: 400px; height: 254px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/openssl-infographic-2-1.png\" alt=\"Linux OpenSSL Vulnerabilities\" \/><\/p>\n<h2 dir=\"ltr\"><strong>Products and Vendors Affected by the OpenSSL flaws<\/strong><\/h2>\n<blockquote><p><strong>\u201cIf one is looking at NVD alone, which quotes OpenSSL, NetApp, and Debian products only, the real impact of such vulnerabilities is not provided. We should remember that since OpenSSL is a library used by multiple third-party products like Synology and QNAP, we may tend to miss out on reporting the complete list of impacted products.\u201d<\/strong><\/p>\n<p dir=\"ltr\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ~ a CSW expert opinion<\/p>\n<\/blockquote>\n<p><strong>NAS device manufacturers, Synology and QNAP, reported that the vulnerabilities were impacting multiple products. Both companies are working on patches for the vulnerabilities. Here is a detailed list of the products affected:<\/strong><\/p>\n<p><strong><img decoding=\"async\" style=\"width: 650px; height: 560px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/openssl-infographic-1.png\" alt=\"Products and Vendors affected by OpenSSL vulnerabilities\" \/><\/strong><\/p>\n<h2 dir=\"ltr\"><strong>Way Forward<\/strong><\/h2>\n<blockquote><p><strong>\u201cThe impact that ransomware gangs may have by exploiting OpenSSL bugs will be, in most likelihood, huge, since NAS devices are widely used for data backups. Although there are no known exploits in the wild at the moment, we believe that all the chatter on underground forums about these vulnerabilities portends an imminent attack within the next few months.\u201d\u00a0 \u00a0\u00a0\u00a0\u00a0<\/strong><\/p>\n<p dir=\"ltr\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ~ CSW Analyst\u2019s viewpoint<\/p>\n<\/blockquote>\n<p>CSW\u2019s expertise and thought leadership regarding the spate of attacks targeting OpenSSL bugs and what it portends has been <a href=\"https:\/\/www.bankinfosecurity.com\/vendors-issue-security-advisories-for-openssl-flaws-a-17438\" target=\"_blank\" rel=\"noopener\">quoted<\/a> recently.<\/p>\n<p>With criminal gangs like eCh0raix ransomware and botnet malware like <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/synology-multiple-products-impacted-by-openssl-rce-vulnerability\/\" target=\"_blank\" rel=\"noopener\">StealthBot<\/a> knocking at the doors of NAS device manufacturers and Linux products, it is imperative that companies patch their systems or upgrade to the latest versions in order to prevent any ransomware groups which may leverage the OpenSSL vulnerabilities.<\/p>\n<p>Attackers require one vulnerability to exploit and take advantage of an organization. Organizations, as a result, should adopt a risk-based approach and manage the vulnerabilities in their attack surfaces to boost their security posture.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>To know more about CSW\u2019s Vulnerability Management as a Service (VMaaS), <\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>please <a href=\"https:\/\/cybersecurityworks.com\/services\/vulnerability-management-as-a-service\" target=\"_blank\" rel=\"noopener\">click here<\/a>.<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\">\n","protected":false},"excerpt":{"rendered":"<p>Two OpenSSL vulnerabilities, one remote code execution, and a denial-of-service were discovered by network-attached storage device manufacturers, Synology and QNAP. The fear of a ransomware attack leveraging the vulnerabilities still remains high. Here is our analysis of the vulnerabilities.<\/p>\n","protected":false},"author":1,"featured_media":7422,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,123,135],"tags":[455,167,326,456,182,250,327,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7421"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7421"}],"version-history":[{"count":3,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7421\/revisions"}],"predecessor-version":[{"id":17888,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7421\/revisions\/17888"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7422"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}