OpenSSL advisory vulnerability
Component | Affected versions CVE-2022-3602 | Comment |
---|---|---|
Smart ID Certificate Manager | Not affected | Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Nexus OCSP Responder | Not affected | Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Nexus Timestamp Server | Not affected | Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Desktop App/Client | Not affected | Uses OpenSSL 1.1.1 which is not affected. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Mobile App | Not affected | |
Nexus Card SDK | Not affected | Uses OpenSSL 1.1.1 which is not affected. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Physical Access | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Identity Manager/PRIME | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Self-Service (Angular/SpringBoot-based) | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Self-Service Legacy USSP (Wicket-based) | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Smart ID Messaging component - Hermod | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. Recommendation is to check underlaying OS in your installation for OpenSSL version, and upgrade if applicable. |
Nexus ID06 Service | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. |
Nexus Go Cards | Not affected | Uses OpenSSL 1.1.1 which is not vulnerable. |
Further information
Technical information about the vulnerability
In order to be impacted by this vulnerability the victim (client or server) needs a few conditions to be true:
- A malicious certificate needs to be signed by a CA that the victim trusts
- The victim needs to validate the malicious certificate or ignore a series of warnings from the browser
- The victim needs to be running OpenSSL 3.0.x before 3.0.7
For a client to be affected by this vulnerability, they would have to visit a malicious site that presents a certificate containing an exploit payload. In addition, this malicious certificate would have to be signed by a trusted CA.
Servers with a vulnerable version of OpenSSL can be attacked if they support mutual authentication - a scenario where both client and a server provide a valid and signed X.509 certificate, and the client is able to present a certificate with an exploit payload to the server.
How should you handle this issue?
If you are managing services that run OpenSSL, you should patch vulnerable OpenSSL packages. On a Linux system you can determine if you have any processes dynamically loading OpenSSL with the lsof
command. Here is an example of finding OpenSSL being used by NGINX:
root@55f64f421576:/# lsof | grep libssl.so.3
nginx 1294 root mem REG 254,1 925009 /usr/lib/x86_64-linux-gnu/libssl.so.3 (path dev=0,142)
Once the package maintainers for your Linux distro release OpenSSL 3.0.7 you can patch by updating your package sources and upgrading the libssl3 package. On Debian and Ubuntu this can be done with the apt-get upgrade command:
root@55f64f421576:/# apt-get --only-upgrade install libssl3
With that said, it is possible that you could be running a vulnerable version of OpenSSL that the lsof
command cannot find because your process is statically compiled. It is important to update your statically compiled software that you are responsible for maintaining, and make sure that over the coming days you are updating your operating system and other installed software that might contain the vulnerable OpenSSL versions.
Nexus strongly recommends you to contact your other suppliers as well.