OpenSSL today released patches for a slew of previously unknown vulnerabilities, including one rated as high severity. Given the severity rating, the announcement will likely cause a scramble among systems administrators to update vulnerable installations before attackers begin to exploit the flaw. The vulnerability (CVE-2015-0291) could potentially be exploited by attackers in a denial-of-service (DoS) attack against affected servers.
OpenSSL is one of the most commonly used implementations of the SSL and TLS cryptographic protocols. The open-source software is used widely on internet-facing devices, including two thirds of all web servers.
The security bulletin issued by the OpenSSL project today said that the new high severity vulnerability allowed a client to connect to an OpenSSL 1.0.2 server and renegotiate with an invalid signature algorithms extension, which would result in a NULL pointer dereference occurring. “This can be exploited in a DoS attack against the server,” it said.
The vulnerability was one of 12 fixed in today’s update. In addition to this, OpenSSL also reclassified the previously disclosed FREAK vulnerability as high severity, which it had formerly rated as “low severity.”
This vulnerability is the latest in a series of critical flaws that have been uncovered in SSL/TLS over the past year. Heartbleed, another OpenSSL vulnerability, hit the headlines in April last year after it was discovered that the flaw could allow attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys. Four months later, a vulnerability known as POODLE was found in an older version of SSL, SSL 3.0. Despite the fact that this version had long been superseded by newer versions of SSL and TLS, it was nevertheless exploitable since nearly every web browser and a large number of Web servers continued to support SSL 3.0. Attackers could potentially force a secure connection to downgrade to the SSL 3.0 protocol before exploiting the vulnerability. Earlier this month, the vulnerability dubbed FREAK was announced in SSL/TLS which could enable attackers to intercept and decrypt communications between affected clients and servers. FREAK facilitated man-in-the-middle (MITM) attacks against secure connections by forcing them to use "export-grade" encryption, a much weaker form of encryption that is easily crackable. Export-grade encryption is not usually used today. Mitigation Users of products that utilize OpenSSL are advised to update their installations immediately once the patch becomes available.