Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

OpenSSL Patches Flaws Found With Google Fuzzer

OpenSSL updates released on Thursday patch two low and medium severity vulnerabilities discovered using Google’s open source OSS-Fuzz fuzzing service.

OpenSSL updates released on Thursday patch two low and medium severity vulnerabilities discovered using Google’s open source OSS-Fuzz fuzzing service.

The medium severity flaw patched with the release of OpenSSL 1.1.0g and 1.0.2m is CVE-2017-3736. Described as a carry propagating bug in the x86_64 Montgomery squaring procedure, the security hole affects processors that support BMI1, BMI2 and ADX extensions (e.g. Intel Broadwell 5th generation and later, or AMD Ryzen).

These types of flaws could allow an attacker to recover encryption keys and access protected communications, but OpenSSL developers believe an attack is difficult to carry out.

“Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline,” OpenSSL said in an advisory.

“The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients,” it added.

Developers pointed out that the vulnerability is very similar to CVE-2015-3193, which was patched in December 2015, and CVE-2017-3732, one of the four security holes fixed this January. However, they believe CVE-2017-3736 needs to be treated separately.

The second vulnerability patched with the release of OpenSSL 1.1.0g and 1.0.2m is a low severity issue that could lead to an out-of-bounds (OOB) read. The flaw, tracked as CVE-2017-3735, has existed since 2006 and it was disclosed in August. While a source code fix was made available in August, developers believed it did not deserve an update due to its low severity.

The flaws resolved in the latest versions of OpenSSL were discovered using OSS-Fuzz, an open source fuzzing service launched by Google in December 2016. In the first months, the fuzzer helped find 264 potential security issues in 47 open source projects.

Advertisement. Scroll to continue reading.

This is the fourth round of OpenSSL updates released this year, but only two of the previous updates, from January and February, included security patches.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...