Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL Project Swats 8 Security Bugs

Several patches have been released today to plug eight vulnerabilities in OpenSSL.

The fixes are contained within OpenSSL 1.0.1k, 1.0.0p and 0.98zd. The most serious of the bugs are classified by the OpenSSL Project as ‘moderate’ and could be leveraged to launch denial-of-service attacks. The remaining six issues are ranked ‘low’.

Several patches have been released today to plug eight vulnerabilities in OpenSSL.

The fixes are contained within OpenSSL 1.0.1k, 1.0.0p and 0.98zd. The most serious of the bugs are classified by the OpenSSL Project as ‘moderate’ and could be leveraged to launch denial-of-service attacks. The remaining six issues are ranked ‘low’.

The first of the moderate bugs mentioned in the advisory can be triggered by a specially-crafted DTLS message to cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This issue affects all current OpenSSL versions (1.0.1, 1.0.0 and 0.9.8) and could lead to a denial-of-service attack, according to the advisory. The second moderate bug is a memory leak that can occur in the dtls1_buffer_record function under certain conditions.

“In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch,” according to the advisory. “The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion.”

This bug impacts OpenSSL versions 1.0.1 and 1.0.0.

Tod Beardsley, Rapid7’s engineering manager, noted that while none of these issues reach “Heartbleed-levels of severity,” system administrators should plan to upgrade their OpenSSL server instances in the coming days.

“While we are still researching the implications of the eight issues announced today, the most severe vulnerabilities merely lead to a Denial of Service (DoS) condition on affected services using OpenSSL through either segmentation fault and crashing (CVE-2014-3571) or memory exhaustion (CVE-2015-0206),” he said. “Therefore, in order to maintain reliable service, OpenSSL should be upgraded or replaced by SSL libraries not affected by these issues, such as LibreSSL.”

The other vulnerabilities are related to a number of issues, including one where the OpenSSL server accepts a DH client certificate without the certificate verify message.

Advertisement. Scroll to continue reading.

“This effectively allows a client to authenticate without the use of a private key,” according to the advisory. “This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered.”

In another case, an OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. In effect, this removes forward secrecy from the ciphersuite, the advisory notes.

The full advisory can be read here. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.