Several patches have been released today to plug eight vulnerabilities in OpenSSL.
The fixes are contained within OpenSSL 1.0.1k, 1.0.0p and 0.98zd. The most serious of the bugs are classified by the OpenSSL Project as ‘moderate’ and could be leveraged to launch denial-of-service attacks. The remaining six issues are ranked ‘low’.
The first of the moderate bugs mentioned in the advisory can be triggered by a specially-crafted DTLS message to cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This issue affects all current OpenSSL versions (1.0.1, 1.0.0 and 0.9.8) and could lead to a denial-of-service attack, according to the advisory. The second moderate bug is a memory leak that can occur in the dtls1_buffer_record function under certain conditions.
“In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch,” according to the advisory. “The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion.”
This bug impacts OpenSSL versions 1.0.1 and 1.0.0.
Tod Beardsley, Rapid7’s engineering manager, noted that while none of these issues reach “Heartbleed-levels of severity,” system administrators should plan to upgrade their OpenSSL server instances in the coming days.
“While we are still researching the implications of the eight issues announced today, the most severe vulnerabilities merely lead to a Denial of Service (DoS) condition on affected services using OpenSSL through either segmentation fault and crashing (CVE-2014-3571) or memory exhaustion (CVE-2015-0206),” he said. “Therefore, in order to maintain reliable service, OpenSSL should be upgraded or replaced by SSL libraries not affected by these issues, such as LibreSSL.”
The other vulnerabilities are related to a number of issues, including one where the OpenSSL server accepts a DH client certificate without the certificate verify message.
“This effectively allows a client to authenticate without the use of a private key,” according to the advisory. “This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered.”
In another case, an OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. In effect, this removes forward secrecy from the ciphersuite, the advisory notes.
The full advisory can be read here.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
