Rolling 2 day view of updates from this repo
- https://gsd.id/GSD-2022-1006615
- https://github.com/pblumo/openssl-vuln-nov-2022/blob/main/list.csv
- https://github.com/NCSC-NL/OpenSSL-2022
- https://docs.google.com/spreadsheets/d/1EMGeffxhiRceyz6XW6O6cH5tcrBaoLLX06M9OdNsENY/edit#gid=1075768917
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a
- https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
- https://www.openssl.org/news/cl30.txt
- TBC
/opt
/usr/local
/home
(see also UNIX)
/Applications
/Library
/Users/*/Applications
/Users/*/Library
c:\Program Files
c:\Program Files (x86)
c:\Documents and Settings
c:\Users
find /path/to/check -type f -iname "lib*ssl*.so*" -o -iname "lib*crypt*.so*" -o -iname "lib*ssl*.a*" -o -iname "lib*crypt*.a*" 2>/dev/null | while read filename; do echo $filename,`strings $filename | grep "OpenSSL 3" | wc -l`; done
osqueryi "SELECT distinct processes.name, process_open_sockets.local_port, process_memory_map.path as ssllib from process_memory_map join process_open_sockets USING (pid) join processes USING (pid) WHERE (process_memory_map.path LIKE '%lib%ssl%' OR process_memory_map.path LIKE '%lib%crypt%') AND process_memory_map.permissions LIKE '%x%' AND process_open_sockets.local_port <> 0;"
Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue -Path "C:\" -Filter "lib*ssl*"
- Correlation with other mission critical packages e.g. OpenSSH (https://twitter.com/j0hn__f/status/1587067842515673090): OpenSSH >= 8.9 is a relatively good indicator that the OS also ships with OpenSSL 3
- Hunt for "OpenSSL/3.*" in SIEM, WAF logs etc
Running the rules:
yara -r yara/... /path/to/check
Example here:
- TBC
- TBC