Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL Patches Moderate Severity Vulnerabilities

The OpenSSL Project released on Thursday versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh of the cryptographic software library to fix several security flaws and functionality bugs.

A total of three vulnerabilities classified as “moderate” severity have been patched in the latest versions.

The OpenSSL Project released on Thursday versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh of the cryptographic software library to fix several security flaws and functionality bugs.

A total of three vulnerabilities classified as “moderate” severity have been patched in the latest versions.

One of the flaws is related to the BN_mod_exp function, which researcher Hanno Böck discovered that it could produce incorrect results on x86_64 systems. The issue has been assigned the CVE-2015-3193 identifier.

According to the OpenSSL Project, the vulnerability, which only affects OpenSSL 1.0.2, can be exploited against RSA, DSA (Digital Signature Algorithm), and Diffie–Hellman (DH) algorithms, but such attacks would be very difficult to pull off. Elliptic curve (EC) algorithms are not affected.

“The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites,” reads the security advisory.

Another issue, which affects both the 1.0.2 and 1.0.1 versions of OpenSSL, is related to certificate signature verification (CVE-2015-3194) and can be exploited for denial-of-service (DoS) attacks.

The vulnerability, reported in August by Loïc Jonas Etienne of Qnective AG, can be leveraged to crash certificate verification operations. Applications that perform certificate verification are affected, including OpenSSL servers and clients that enable client authentication.

The third flaw was reported in November by Google’s Adam Langley. The expert discovered that OpenSSL leaks memory when presented with a malformed X509_ATTRIBUTE structure (CVE-2015-3195). All OpenSSL versions are affected.

“This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected,” noted OpenSSL developers.

The OpenSSL Project’s advisory also details a low severity vulnerability that could result in a race condition (CVE-2015-3196). The flaw was previously fixed in OpenSSL 1.0.2d and 1.0.1p, but it had not been disclosed. A fix has now been included in OpenSSL 1.0.0t.

The fixes for these vulnerabilities have been developed by Andy Polyakov and Dr. Stephen Henson, both of the OpenSSL development team.

The OpenSSL Project has once again reminded users that these will likely be the last updates for OpenSSL 1.0.0 and 0.9.8 as these versions will no longer be supported starting with January 1, 2016.

Node.js developers had planned to release security updates on Tuesday. However, since Node.js uses OpenSSL, the release of the updates has been postponed until Thursday so that the OpenSSL updates can be included as well.

“We understand that the timing of this during the work-week is unfortunate but we must take into account the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical,” said Node.js developers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.