OpenSSL Patches Logjam Bug, DoS Vulnerabilities

OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg have been released. The latest versions of the open-source toolkit for SSL/TLS address several moderate and low severity security bugs.

An advisory published by developers shows that the recently disclosed vulnerability known as “Logjam” has been patched in OpenSSL 1.0.2b and 1.0.1n. The vulnerability (CVE-2015-4000) is similar to FREAK and it can be exploited through man-in-the-middle (MitM) attacks to downgrade TLS connections to 512-bit export-grade cryptography.

OpenSSL has addressed the weakness by rejecting handshakes with Diffie-Hellman parameters shorter than 768 bits. The limit will be increased to 1024 bits in a future release of OpenSSL.

The latest updates also address a moderate severity denial-of-service (DoS) vulnerability caused by the way ECParameters structures are handled (CVE-2015-1788).

“When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field,” OpenSSL said in its advisory. “This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled.”

The vulnerability affects OpenSSL 1.0.2, 1.0.1, 1.0.0d and below, and 0.9.8r and below. Recent 1.0.0 and 0.9.8 versions are not impacted.

Another moderate severity DoS flaw is an out-of-bounds read in the X509_cmp_time function (CVE-2015-1789).

“X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string,” OpenSSL said.

The vulnerability affects all current versions of OpenSSL and it can be exploited with the aid of malformed certificates and certificate revocation lists (CRLs) against applications that verify certificates or CRLs. The security hole was reported by Robert Swiecki of Google and independently by Hanno Böck.

Michal Zalewski of Google discovered that applications designed to decrypt PKCS#7 data or parse PKCS#7 structures from untrusted sources can be caused to crash because missing inner EncryptedContent is not handled correctly (CVE-2015-1790). OpenSSL says the vulnerability does not affect clients and servers.

Another DoS bug that affects all current versions of OpenSSL has been assigned the CVE identifier CVE-2015-1792.

“When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID,” reads OpenSSL’s advisory. “This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.”

Finally, developers addressed a low severity bug that allows a remote, unauthenticated attacker to cause a DoS condition (CVE-2015-1791). According to an advisory published by Cisco for this issue, the vulnerability exists because session data is not handled properly.

“The vulnerability exists within the ssl3_get_new_session_ticket() function because the affected software fails to properly handle session data. The affected library improperly handles NewSessionTicket data when received by a multi-threaded client,” Cisco said. “An unauthenticated, remote attacker could exploit the vulnerability by transmitting crafted session requests to the targeted system. When processing such data, the library attempts to reuse a previous ticket and a race condition can occur which may lead to a double free memory error of the ticket data.”