This blog describes the steps Stamus Networks customers may take to determine if any of your systems have been attacked in the past, are currently under attack or vulnerable as a result of the OpenSSL vulnerabilities outlined in CVE-2022-3602 and CVE-2022-3786.

To understand how your Stamus Security Platform or SELKS system may be impacted by these vulnerabilities, please refer to the blog posted on 1-November-2022, entitled, (https://www.stamus-networks.com/blog/openssl-and-stamus-networks).

BACKGROUND

On October 25, 2022, the OpenSSL Project announced they will be releasing an update to OpenSSL in order to address a “CRITICAL” vulnerability. The vulnerability was not disclosed at this time.

On November 1, 2022, the OpenSSL Project published an advisoryin which they shared more information about these buffer overflow vulnerabilities which affect versions 3.0.0 to 3.0.6 of OpenSSL: (https://www.openssl.org/news/secadv/20221101.txt)

• CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow
• CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow

Based on evidence gathered since the pre-announcement was made, OpenSSL downgraded the severity level of both CVEs to “HIGH.”

Read more on the OpenSSL blog here: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ 

We recommend you patch any vulnerable systems as soon as possible. 

In the meantime, you may take the following steps to help determine if any of your systems have been attacked in the past, are currently under attack or vulnerable.

DETECTION AND ESCALATION

Please follow the steps listed below in the Stamus Security Platform, “Hunt” interface

Create a Filter

NOTE: Portions of this are not applicable to the Stamus Probe Management license tier

Any CVE number can be searched in the Hunt interface.

To create a filter:

• In Hunt, click on the magnifying icon next to any signature (first group Signatures on the Dashboard tab).
• Click on the pencil/Edit icon on the resulting filter displayed as “Active Filters:”.
• Type the CVE number or a text descriptor with a wildcard (*) it at each end (for example: *CVE−2022-3602* )
• Select the checkbox “Wildcard view”
• Click Save
• You are now ready to review the results and events in the Dashboard, Host Insights and Alert views”

The example screenshot below shows how to do that for “CVE−2022-3602”

Save the Filter

NOTE: some items described here are not applicable to Stamus Probe Management license tier

The resulting filter can be saved by simply clicking on the “Save” link on the right-hand side of the “Active filter”.  Check “Shared” in the resulting dialog box if you want to make the filter available to all users. 

The newly created filter is now available in “Global Filter Sets” or “Private Filter Sets”

Review Detection Methods in Hunt

To review exactly what detection methods are available in Hunt for that specific vulnerability you can:

1. Head to the Signatures tab on the left-hand side in Hunt.
2. Select the “Content” option from the dropdown menu.
3. Type in the full CVE (i.e. CVE−2022-3602), hit Enter

Automated Escalation and  API Notification

NOTE: Portions are not applicable to Stamus ND or Stamus Probe Management license tiers.

If needed, an automated escalation to Declarations of Compromise™ (DoC) and webhooks is also possible, including from historical data.

For example, if it happened 24 hrs or 7 days ago it will still be detected and escalated based on that custom filter.

To do so:

1. After creating your filter as above 
2. From the right-hand side drop down menu, Policy Actions, select “Create DoC events”.

• Choose the plus (+) next to the Threat: Name
• Fill in the Threat Name, Description, and Additional information.
• Enter an Offender Key (i.e. src_ip)
• Enter an Asset Key (i.e. dest_ip)
• Leave Asset Type “IP”
• Set a Kill Chain phase (i.e. Exploit)
• Select “Generate DoC events from historical data”. [This will make sure historical events are also checked]
• If desired and webhooks are setup also select “Generate webhooks events from historical data”

The screenshot below shows the DoC event creation form:

Automated Classification and Tagging

Auto Tagging all relevant events is also an option. This will allow for any logs (alerts or protocol transaction events related to the alerts) to have a “Relevant” tag inserted in the JSON logs:

To do so:

• After creating your filter as above.
• From the right-hand side drop down menu -  Policy Actions , Select “Tag”.
• Add in an optional comment and select a ruleset.
• Update the threat detection (upload button in the middle of the top bar on the Hunt page, on the left-hand side of History, Filter Sets)

Export Data - SIEM / Elasticsearch / Kibana 

All data generated by Stamus Security Platform, such as alerts, protocol transactions, sightings events or Host Insights information, may be exported and shared with any SIEM or SOAR system.

Over 4000 fields are available -- from domain requests, http user agents used, hostnames, usernames logged in --  to encrypted analysis including JA3/JA3S fingerprinting, TLS certificates and more.

Any query of the Stamus Networks data (protocol transaction or alert logs) can be exported via a regular JSON log query or visualization export.

Example of Kibana query on alert events

To export CSV data from any info of the alerts you can open the SN-ALERT dashboard in Kibana, type in the filter “alert.signature.keyword:*CVE-2022-3602*” , then you can export a CSV of any visualization using “Inspect” (see example below):

Click on “Inspect” in any visualization to export a CSV

Export Data - Spunk

NOTE: portions of this section are not applicable to Stamus Probe Management.

Any query of the Stamus Networks data (protocol transaction or alert logs a like) in Splunk can be exported via a regular Splunk query or visualization export.

Example of a Splunk query on alert events

Splunk event_type=alert "alert.signature"="*CVE-2022-3602*"

Protocol Transactions

Stamus Networks provides a free Splunk app https://splunkbase.splunk.com/app/5262  that can be used to do specific CVE−2022-3602 searches.

If there are any Splunk visualizations queries that have supporting information for the CVE that needs to be exported, it can be done so by the native Splunk export functionality.

TROUBLESHOOTING AND HELP

Please reach out to support@stamus-networks.com with any questions or feedback.