Learn to fix OpenSSL NULL pointer & heap overflow vulnerabilities (CVE-2026-28387 to 31790) on Ubuntu, Rocky, SUSE. Includes check scripts, iptables mitigation, and a hands-on Docker lab for 2026 & beyond.
In April 2026, SUSE released a patch for six OpenSSL 3 flaws—including a heap buffer overflow (CVE-2026-31789) and multiple NULL pointer dereferences that crash services (CVE-2026-28388, CVE-2026-28389). One bug even affects DANE (DNS-based authentication) causing potential use-after-free.
But vulnerabilities like these resurface every year. This guide gives you reusable commands to check, fix, or block any OpenSSL 3 issue—today or in 2028.
1. How to check if you are vulnerable (actual commands)
Run these to see if your system uses a vulnerable OpenSSL 3 version (before 3.2.3 with backports).
Ubuntu 22.04 / 24.04 (Debian-based)
openssl version -a | head -1 # If output shows "3.0.x" or "3.1.x" without the specific patch – vulnerable dpkg -l | grep openssl
Rocky Linux 9 / AlmaLinux (RHEL-based)
rpm -q openssl # Compare with your distro’s security tracker. Example: openssl-3.0.7-30.el9_5 is fixed dnf updateinfo list | grep openssl
zypper info openssl-3 | grep Version # Vulnerable if lower than 3.2.3-150700.5.31.1 (from the April 2026 advisory) zypper patch-check
Universal test (checks NULL pointer risks)
# Try to trigger a safe NULL deref (won't crash but shows flaw) echo "Test" | openssl cms -encrypt -recip /dev/null 2>&1 | grep "NULL"
2. Automation script to apply the fix (bash)
Save as fix-openssl-now.sh and run as root
#!/bin/bash # Works on Ubuntu, Rocky, SUSE - OpenSSL 3 patch automation set -e OS_ID=$(grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"') case $OS_ID in ubuntu|debian) apt update && apt upgrade -y openssl libssl3 ;; rhel|rocky|almalinux) dnf update -y openssl ;; suse|opensuse-leap) zypper --non-interactive update openssl-3 ;; *) echo "Unsupported OS. Update manually." exit 1 ;; esac echo "OpenSSL updated. Restart services using SSL (nginx, apache, sshd)." systemctl restart nginx sshd 2>/dev/null || true openssl version
Run: chmod +x fix-openssl-now.sh && sudo ./fix-openssl-now.sh
3. Alternative mitigation if you can’t update now
If you cannot reboot or patch (e.g., legacy app), block the attack vectors with iptables or AppArmor.
Block Delta CRL & CMS packets (CVE-2026-28388/28390)
# Rate-limit or drop malformed CMS traffic to port 443 iptables -A INPUT -p tcp --dport 443 -m string --string "CMS" --algo bm -j DROP iptables -A INPUT -p tcp --dport 25 -m string --string "CRL" --algo bm -j DROP
AppArmor profile to restrict OpenSSL memory access (prevents heap overflow)
# Create /etc/apparmor.d/usr.bin.openssl profile openssl /usr/bin/openssl { capability net_raw, /usr/lib/*/libcrypto.so.3 mr, deny /tmp/* rw, # Blocks overflow writes to temp } apparmor_parser -r /etc/apparmor.d/usr.bin.openssl
Alternative: Put a reverse proxy (like HAProxy or Nginx) in front to sanitize incoming CMS/CRL requests before they hit your internal OpenSSL.
Suggeted reading
Book: Bulletproof SSL and TLS by Ivan Ristić - Amazon
Why this book is matter:
The book is the only book that explains how to audit cipher suites, mitigate NULL pointer bugs, and configure FIPS mode. It saves you from guessing during the next 10 CVE storms.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)
Conclusion
OpenSSL vulnerabilities aren't going away. The six flaws patched in April 2026—NULL dereferences, heap overflows, and use-after-free bugs—are the same patterns that will break your services again next year.
You now have three permanent weapons: a check script that works on any major distro, an iptables shield for emergency mitigation, and a Docker lab to test fixes before touching production.
Nenhum comentário:
Postar um comentário