The OpenSSL Team has patched two “critical” vulnerabilities (CVE-2022-3602 and CVE-2022-3786) that affect versions 3.0 to 3.0.6 of OpenSSL. The flaws found in the open-source cryptographic library used to encrypt communication channels, and HTTPS connections are now patched in 3.0.7.
The attack angle appears to allow remote code execution and the ability to cause the system to crash via a buffer overflow.
Any OS or VPN protocol compiled with the affected versions is vulnerable to attack. We recommend you seek advice from your VPN provider to be sure they have patched their systems if required.
What Operating Systems and Software are Affected?
It is unclear how many systems the bug may affect. For example, any VPN provider that compiles OpenVPN with OpenSSL version 3.0.0 through to 3.0.6 is affected.
Cloud security firm Wiz.io said that only 1.5% of all OpenSSL instances were found to be impacted by this security flaw after analyzing deployments across major cloud environments (i.e., AWS, GCP, Azure, OCI, and Alibaba Cloud).
ExpressVPN have came out and stated that there Lightway Protocol is unaffected due to using “wolfSSL for all of its cryptographic needs” – the operating systems running the VPN protocols use a version of OpenSSL unaffected by this vulnerability.
We are waiting to hear back from other VPN providers and will update this article in due course. Here are a list of Operating Systems we found to be affected.
Operating System | OpenSSL Version |
---|---|
CentOS Stream 9 | (3.0.1) |
Fedora 36 | (3.0.5) |
Fedora Rawhide | (3.0.5) |
Kali 2022.3 | (3.0.5) |
Linux Mint 21 Vanessa | (3.0.2) |
Mageia Cauldron | (3.0.5) |
OpenMandriva 4.3 | (3.0.3) |
OpenMandriva Cooker | (3.0.6) |
Redhat EL 9 | (3.0.0) |
Rocky Linux release 9.0 (Blue Onyx) | (3.0.1) |
Ubuntu 22.04 | (3.0.2) |
For a more comprehenisve list, the National Cyber Security Centrum of the Netherlands (NCSL-NL) has a running list of vulnerable software to the OpenSSL 3.x exploit. Numerous popular Linux distributions, virtualization platforms, and other tools are listed as either vulnerable or under investigation.
Conclusion:
For the VPN user, the best thing to do now is to contact your provider and confirm that they are fully aware of this vulnerability and that they have audited VPN servers, VPN protocol’s and their main web servers. Most VPN providers would likely be on top of this already if required.