Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL Project Swats 8 Security Bugs

Several patches have been released today to plug eight vulnerabilities in OpenSSL.

The fixes are contained within OpenSSL 1.0.1k, 1.0.0p and 0.98zd. The most serious of the bugs are classified by the OpenSSL Project as ‘moderate’ and could be leveraged to launch denial-of-service attacks. The remaining six issues are ranked ‘low’.

Several patches have been released today to plug eight vulnerabilities in OpenSSL.

The fixes are contained within OpenSSL 1.0.1k, 1.0.0p and 0.98zd. The most serious of the bugs are classified by the OpenSSL Project as ‘moderate’ and could be leveraged to launch denial-of-service attacks. The remaining six issues are ranked ‘low’.

The first of the moderate bugs mentioned in the advisory can be triggered by a specially-crafted DTLS message to cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This issue affects all current OpenSSL versions (1.0.1, 1.0.0 and 0.9.8) and could lead to a denial-of-service attack, according to the advisory. The second moderate bug is a memory leak that can occur in the dtls1_buffer_record function under certain conditions.

“In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch,” according to the advisory. “The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion.”

This bug impacts OpenSSL versions 1.0.1 and 1.0.0.

Tod Beardsley, Rapid7’s engineering manager, noted that while none of these issues reach “Heartbleed-levels of severity,” system administrators should plan to upgrade their OpenSSL server instances in the coming days.

“While we are still researching the implications of the eight issues announced today, the most severe vulnerabilities merely lead to a Denial of Service (DoS) condition on affected services using OpenSSL through either segmentation fault and crashing (CVE-2014-3571) or memory exhaustion (CVE-2015-0206),” he said. “Therefore, in order to maintain reliable service, OpenSSL should be upgraded or replaced by SSL libraries not affected by these issues, such as LibreSSL.”

The other vulnerabilities are related to a number of issues, including one where the OpenSSL server accepts a DH client certificate without the certificate verify message.

Advertisement. Scroll to continue reading.

“This effectively allows a client to authenticate without the use of a private key,” according to the advisory. “This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered.”

In another case, an OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. In effect, this removes forward secrecy from the ciphersuite, the advisory notes.

The full advisory can be read here. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.