Loading...

Flaws in the internet’s security library may have let hackers crash your device

Flaws in the internet’s security library may have let hackers crash your device
Photo Credit: 123RF.com
Loading...

Two security vulnerabilities, both with ‘high’ critical rating, may have led to millions of devices facing crashes or being injected with remote code execution (RCE) malware — owing to flaws in OpenSSL. The latter, developed by the OpenSSL Software Foundation, maintains an open source, licensable software library for applications that are used to secure connections over which internet data is transferred. Now, according to reports, two disclosed vulnerabilities in a relatively recent version of OpenSSL could have put a significant amount of internet traffic at risk. 

The vulnerabilities were disclosed in the Common Vulnerabilities and Exposures (CVE) database, under IDs CVE-2022-3786, and CVE-2022-3602. Both the flaws were linked to a mechanism that is known as buffer overflow — a fairly common way for hackers to breach systems. However, the main reason for why it was deemed important is that the latest versions of the library that had the flaw included OpenSSL 3.0.0 to 3.0.6. 

Depending on which version a website, app or service deployed, the versions were released anywhere between September last year, and October 11 this year. This time span likely covers a vast range of websites — which you would commonly find with the prefix ‘https’ — that may have been affected. 

Loading...

The buffer overflow vulnerabilities were further linked to emails, which meant that attackers could create a malicious email address and trigger the buffer memory of a system by executing an administrative command. The buffer memory of a website or service typically has a set size, and a glitch occurs when this buffer size is exceeded — and spilt over to the next buffer memory container of the corresponding service. 

In simpler terms, this overflow of data can cause a service to crash. Further, attackers can use this crash to inject an RCE malware in the system, thereby getting escalated privilege into a system. 

To be sure, RCEs are common ways in which hackers can gain remote access into a system. They can then use this access to either inject more severe or targeted malware in a company’s infrastructure, or carry out other related attacks. 

Loading...

Administrators and system operators are advised to apply the latest version of OpenSSL, bearing version 3.0.7, which patches these two vulnerabilities. While buffer overflows have seen commonplace guards being enforced in most systems, the flaw could have still seen hackers enforce unchecked hacks on various websites — which the latest software version will help patch.  


Sign up for Newsletter

Select your Newsletter frequency