Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OpenSSL Updates Address a Dozen Vulnerabilities

OpenSSL 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf have been released. The latest updates include fixes for several bugs and security issues.

OpenSSL 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf have been released. The latest updates include fixes for several bugs and security issues.

After OpenSSL announced earlier this week that the most serious flaw fixed with these updates has been classified as “high severity,” some suggested that it might be a vulnerability as critical as Heartbleed, but it doesn’t seem to be the case.

The only high severity issue fixed in the latest versions of OpenSSL is a denial-of-service (DoS) vulnerability (CVE-2015-0291). The flaw was reported on February 26 by David Ramos of Stanford University and it affects OpenSSL 1.0.2.

“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server,” the OpenSSL Project team wrote in an advisory.

OpenSSL 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf include fixes for a total of eight moderate severity vulnerabilities. One of the weaknesses is caused by a corrupted pointer in the recently introduced “multiblock” performance feature (CVE-2015-0290). In some cases, the vulnerability can be leveraged for a DoS attack, OpenSSL said.

The list of moderate severity vulnerabilities also includes two segmentation faults related to the DTLSv1_listen (CVE-2015-0207) and ASN1_TYPE_cmp (CVE-2015-0286) functions. A different segmentation fault the can be exploited in a DoS attack is related to signature verification routines (CVE-2015-0208).

A DoS condition can also be caused by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message to servers that support SSLv2 and enable export cipher suites (CVE-2015-0293), or by sending an empty ClientKeyExchange message if client auth and the DHE ciphersuite are used (CVE-2015-1787).

The remaining moderate severity issues have been described as an ASN.1 structure reuse memory corruption (CVE-2015-0287) and PKCS7 NULL pointer dereferences (CVE-2015-0289). These flaws don’t affect OpenSSL clients and servers.

The low severity vulnerabilities are a NULL pointer dereference related to the X509_to_X509_REQ function, a use-after-free following a d2i_ECPrivatekey function error, and an issue that allowed an OpenSSL 1.0.2 client to complete a handshake with an unseeded pseudorandom number generator (PRNG).

OpenSSL 1.0.1, 1.0.0 and 0.9.8 are affected by a vulnerability related to processing base64 encoded data (CVE-2015-0292). An attacker can use maliciously crafted base64 data to trigger a segmentation fault or memory corruption. This issue was fixed in earlier versions of OpenSSL, but this is the first time it has been mentioned in an advisory.

Initially, the OpenSSL Project rated the recently disclosed FREAK bug as “low severity” because it thought that not many servers supported the weak RSA export-grade ciphersuite. After seeing that RSA export ciphersuite support is common, OpenSSL has decided to change the severity rating to “high.” It’s worth noting that OpenSSL fixed the FREAK flaw back in early January.

“After Heartbleed, POODLE and other recent OpenSSL bugs, organizations should have a good handle on what systems in their environments need to be patched and what needs to be done to patch them. If you are still trying to get a handle on where your network is vulnerable to OpenSSL issues and what needs to be done to remediate that issue, you should probably take a close look at your processes and see where you can streamline those efforts,” Cris Thomas, strategist at Tenable Network Security, told SecurityWeek.

“By now a new critical vulnerability in OpenSSL should not be a fire drill for CISOs and IT security teams; there have been several previous instances to practice and refine your technique, and by now it should be a simple matter of following the procedures you developed based on the previous instances,” Thomas added.

Trey Ford, global security strategist at Rapid7, noted that the fixes should be applied as soon as possible on Internet-exposed systems because attack code will be quickly built by reverse engineering the published patches.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...