This is going to be a big deal. So many applications and appliances that have received bare-minimum updates won't get a new openssl major version. Expect new attacks on your shitty IOT devices in the coming year
The majority of those applications and devices are already stuck on 0.9.x anyway, so it's not like it makes that much of a difference. It doesn't seem like that big of a deal to me.
The majority of "shitty IOT devices" only make outgoing TLS connections to relatively trusted external servers (i.e. the company's server), and it's hard enough to MITM connections at scale that you're probably fine. Just don't let a malicious stranger on your wifi.
Adding to that, it's also pretty hard to develop real exploits for the supposed RCE CVEs that you see. Like, most of them are "there's a buffer overrun, this is probably RCE", but most of the time it's actually "no, for all real builds of openssl, this is a crash and that is it".
You don’t need to do complicated MITM attacks to abuse these issues if you control the DNS servers, like if you’re the ISP or one of the parties that provide fashionable DNS servers like Google or Cloudflare.
Most openssl-CVEs suffer from massive severity inflation.
”If you can fool a client running on AIX to connect to a server with deprecated hashing algorithm from 1986, you can make the client take an extra 40 milliseconds to process the packets”
Shitty IOT devices are too small to use openssl anyway. The big ones are updated with their stack.
We started upgrading our stack about half a year ago, and 3.x should be ready now for the next release.
The biggest change were outdated RC4, which was a good thing to get rid of this cruft
Plenty of IoT devices out there that run on full-blown Raspberry Pi's or equivalent boards. Paying someone to write embedded firmware is expensive, throwing together a UI in Python is cheap.
Not that this poses such an issue for those devices; I doubt they ever received firmware updates in the first place. Still, you'll find OpenSSL in the weirdest places.
The worst IOT devices are based on old EoL Android versions hacked on without any understanding by each party adding a little and resell it as the next higher margin product like nesting matryoshka dolls while planning to dissolve the respective business before anyone sues them for the abomination they cobbled together.
