Global OpenSSL software for data encryption urgently needs updating. The threat level of the vulnerability is considered “High”. Transport encryption based on TLS is thus at risk. Servers, clients and IoT infrastructures should be patched. The BSI also warns.
A new threatening vulnerability endangers all systems worldwide that use OpenSSL, one of the most widely used software for encryption of all kinds, for transport encryption based on TLS. When processing certain TLS certificates, targeted attacks can bring clients and servers to a complete standstill (DoS - Denial of Service). “Servers, clients and other devices must be checked immediately and patched if necessary. Since this software is very widespread, the majority of all IT systems - from servers to clients to the Internet of Things - are affected. If hackers specifically attack this gap, it can become very critical for companies and institutions,” warns Jan Wendenburg, CEO of IoT Inspector. The security company operates the leading European platform for automated checking of IoT firmware. The vulnerability that has recently become known can also be specifically detected and eliminated in IoT and IIoT devices and infrastructure, or in their software.
Threat Level: High
In the recent past, the IoT Inspector team uncovered numerous vulnerabilities in well-known hardware manufacturers. “We have experienced that after a technical advisory was published, hackers began to attack the addressed security gap. Therefore, administrators should immediately check whether the problem is in their networks,” says Jan Wendenburg from IoT Inspector. The vulnerability (CVE-2022-0778) has a threat level of high. It was discovered by Tavis Ormandy, a British white hat hacker currently working at Google as part of the Project Zero team. OpenSSL versions 1.0.2, 1.1.1 and 3.0 are affected by the vulnerability. Administrators who use OpenSSL should install one of the secure versions 1.1.1n or 3.0.2 as soon as possible.
unpredictable situation
The team of specialists from IoT Inspector advises that rapid reactions are particularly advisable against the background of international cyber attacks due to the war in Ukraine: “Critical infrastructures, but also companies, are currently more at risk than ever. The uncovered use of European technology in Russian war equipment shows how quickly companies can now find themselves caught in the crossfire and possibly drawn into a campaign by Anonymous hackers. The situation is unpredictable,” explains Wendenburg. Just a few days ago, the Federal Office for Information Security (BSI) warned for the third time of war-related attacks on IT infrastructures. Every component of a network can be used as a gateway, provided the security gaps are not identified through targeted analysis and then remedied. After the warnings from the BSI, IoT Inspector continues to offer a free security check for IoT/IIoT endpoints of all types in KRITIS infrastructures in order to protect the European security architecture as best as possible. A firmware check only takes a few minutes and analyzes the relevant risks.
More at IoT-Inspector.com
Via IoT Inspector
IoT Inspector is the leading European IoT security analysis platform and enables an automated firmware check of IoT devices for critical security gaps with just a few clicks of the mouse. The integrated compliance checker also detects violations of international compliance guidelines. Weak points for external attacks and security risks are identified in the shortest possible time and can be resolved in a targeted manner. The solution, which is easy to use via a web interface, reveals unknown security risks for manufacturers and distributors of IoT technology.