Stop guessing if your OpenSSL is vulnerable. This permanent guide shows you how to check for CVE-2026-28390 (NULL pointer dereference), apply the fix with automation, and block attacks using iptables if you can't update now. Includes scripts for openSUSE, SUSE..
In April 2026, a moderate but important vulnerability was disclosed in OpenSSL (CVE-2026-28390). A maliciously crafted CMS message could crash your application by triggering a NULL pointer dereference.
While the news cycle around that specific date is dead, the problem isn't. Any server running older OpenSSL versions remains at risk today. This guide gives you the timeless commands to check, fix, and mitigate this class of vulnerability forever.
How to Check if You are Vulnerable (Real Commands)
This vulnerability affects OpenSSL 1.1.1 series when processing specific CMS (Cryptographic Message Syntax) structures. Do not rely only on your OS version. Check your running library.
Step 1: Find your OpenSSL version
openssl version -a
Step 2: Check for the vulnerable pattern (NULL pointer risk)
Run this test on any server that receives S/MIME or CMS data (email servers, SOAP endpoints):
# If this command crashes or segfaults, you are vulnerable openssl cms -verify -in /dev/null -inform DER 2>&1 | grep -i "NULL"
Note: A safe system shows a parsing error, not a crash.
Step 3: Check if your package is vulnerable (openSUSE / SUSE)
zypper info openssl-1_1 | grep Version # Compare against fixed version: 1.1.1l-150400.7.93.1 or higher
Automation Script to Apply the Fix (Works on 4 major distros)
#!/bin/bash # Evergreen fix for CVE-2026-28390 (NULL pointer dereference in CMS) # Run as root set -e echo "Checking for vulnerable OpenSSL version..." if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID fi case $OS in opensuse-leap|opensuse|suse) echo "Detected SUSE/openSUSE. Applying patch..." zypper refresh zypper update -y openssl-1_1 ;; rhel|centos|rocky|almalinux|fedora) echo "Detected RHEL family. Updating openssl..." yum update -y openssl # For older RHEL: dnf update -y openssl ;; debian|ubuntu) echo "Detected Debian/Ubuntu. Updating..." apt-get update apt-get install -y --only-upgrade openssl ;; *) echo "Unsupported OS. Manual update required." exit 1 ;; esac echo "Verifying fix..." openssl version echo "Fix applied. Reboot services using OpenSSL (like nginx, apache, postfix)."
Make it executable: chmod +x fix-openssl-cms.sh && sudo ./fix-openssl-cms.sh
Alternative Mitigation If You Can't Update Now
Sometimes you cannot restart a legacy application or update the system library. Use these network-level blocks to stop the malicious CMS packet before it reaches OpenSSL.
Block crafted CMS messages with iptables
The attack uses a specific KeyTransportRecipientInfo structure. While you can't filter by CMS content easily, you can rate-limit or block unusual S/MIME traffic on port 25 (SMTP) and 587 (submission):
# Limit incoming S/MIME bursts (mitigates crash-loop DoS) iptables -A INPUT -p tcp --dport 25 -m limit --limit 5/min -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j DROP # For HTTPS servers: block anomalous POST sizes (crafted CMS often large) iptables -A INPUT -p tcp --dport 443 -m connbytes --connbytes 10000:200000 --connbytes-dir both --connbytes-mode bytes -j LOG --log-prefix "CMS_ATTACK " iptables -A INPUT -p tcp --dport 443 -m connbytes --connbytes 10000:200000 --connbytes-dir both --connbytes-mode bytes -j DROP
AppArmor profile ( openSUSE / SUSE only)
# Add to /etc/apparmor.d/local/usr.bin.openssl /usr/bin/openssl { deny /dev/mem rw, deny @{PROC}/*/mem rw, signal (receive) set=(kill) peer=/usr/sbin/nginx, } sudo systemctl restart apparmor
Suggested Reading
Demystifying Cryptography with OpenSSL 3.0 by Alexei Khlebnikov -Amazon
Nenhum comentário:
Postar um comentário