OpenSSL’s ‘critical’ vulnerability: What you need to know

This post was written by Pete Membrey, chief engineer – VPN technologies, ExpressVPN

Update on Nov. 2, 2022: The OpenSSL Project Team has shared the details of the vulnerability that was initially disclosed last week. Two critical issues were identified in how OpenSSL handles certificate verification that could potentially allow a malicious actor to exploit the running application (client or server), causing a denial of service (DoS) attack. One of the issues was downgraded from critical to high due to “mitigating factors” that would help limit the scope of an attempted exploit. 

It is worth noting that in the general case, it would require a Certificate Authority (the highest level of trust) to sign a malicious certificate, as the certificate is verified as “trusted” before the check that causes the exploit. Although it would be possible to trick an application without requiring such a certificate, it’s very unlikely that any of the software that has been deployed with OpenSSL 3 is going to be susceptible to this.

In short, although these exploits are serious, the reality is that very few systems are vulnerable, and those that are vulnerable require very specific circumstances that are almost contrived. Given that a fix has already been released to remedy the situation, this is a security threat that is easily mitigated—especially when compared with Heartbleed of 2014 or last year’s Log4Shell.

There’s nothing like a good security vulnerability to really stir up the internet. With provocative nicknames (Heartbleed, anyone?), stylish logos, and shiny domain names, these superbugs can dominate tech headlines, and for good reason. The risks they create could affect the cybersecurity of everyone from individuals to corporations.

But the coverage of the most recent vulnerability in OpenSSL, made known a few days ago, is a little different: No one knows what the vulnerability is yet. Only the presence of a bug has been announced, and all that’s been said is the bug is classed as “critical”—the worst possible kind.

The OpenSSL Project Team has given notice that everyone should prepare for a further announcement on Nov. 1, when the details of the vulnerability (and hopefully fixes) will be revealed.

This early warning approach is unusual but was formulated in response to the way OpenSSL’s Heartbleed vulnerability was handled back in 2014. One of the biggest challenges in dealing with Heartbleed was that once the bug was announced, attackers were able to exploit it before people were able to patch their systems against it. 

The idea with the OpenSSL bug now is to ensure that people who are affected by the problem are aware of the situation and are ready to apply any fixes immediately after they are announced. That’s actually a really good thing.

What do we know right now?

So, right now we don’t know anything about the vulnerability except two key facts:

• It only affects OpenSSL 3
• It’s a critical vulnerability

The first point is great news, as although OpenSSL is very widely used, it is normally the 1.1.1 or the now aging 1.0.2 variants that are actually in production. As neither of these variants are affected by this vulnerability, systems and software using them are not affected either. As OpenSSL 3.0 was only released in September 2021, any platform older than this is unlikely to be affected either.

The second point is not great news but it’s great to know. Knowing that the flaw is so serious—and having that knowledge for a week—ensures that people will want to apply the fix as soon as possible. This is key to ensuring a safe and secure internet.

Is the ExpressVPN platform affected?

The ExpressVPN platform is not affected by the latest OpenSSL vulnerability, although we remain vigilant and will be paying very close attention to the announcement on Nov. 1.

What about Lightway?

Our Lightway VPN protocol uses wolfSSL for all of its cryptographic needs and does not use OpenSSL at all. That means that all Lightway clients and servers are totally unaffected by the OpenSSL bug. If you connect to ExpressVPN using Lightway (which is the default in our apps), you’ll be protected by wolfSSL.

Read more: Q&A with wolfSSL, the team behind Lightway’s cryptography

What about the VPN servers?

The ExpressVPN platform is powered by TrustedServer, a fully customized in-memory operating system with a focus on security and privacy. Every ExpressVPN server runs TrustedServer without exception. Although TrustedServer does use OpenSSL (as most Linux distributions do), it is using the latest version of OpenSSL 1.1.1. This means that TrustedServer is also unaffected by the new security vulnerability.

Although the bug in question is not applicable to our servers this time around, it’s important to note that a very fast response to security issues is a core part of TrustedServer’s design. TrustedServer allows for extremely rapid security updates, meaning that from the time such a vulnerability is announced and a fix is made available, our entire server fleet could be fully updated in just a few hours, often even faster.

Read more: Deep dive into the security of our server tech

How can I tell if I’m affected?

The SANS Internet Storm Center is maintaining a list of affected operating systems. The link also contains information on how you can test your platform to see which version of OpenSSL is being used. If you do discover any new information, we highly recommend getting in touch with the organization so they can add it to their site for everyone to benefit.

What should I do now?

All that is left to do now is identify if you have any machines that are vulnerable so that you will be able to upgrade them easily when the announcement is made on Nov. 1. When fixes are released, make sure you install them immediately.

Until then though, any rumors or speculation you might hear about the vulnerability is just that. Best to wait for the official announcement before making any big decisions.