OpenSSL issues urgent security advisory

OpenSSL has issued a new security advisory outlining more than a dozen issues ranging from high to low severity.

(Related: OpenSSL to undergo massive security audit)

On the heels of announcing a sweeping security audit of the now-stable OpenSSL codebase, the SSL/TLS security protocol underlying much of the Web’s encryption has published warnings for security issues affecting versions 0.9.8 through 1.0.2. Kowsik Guruswamy, chief technology officer of cyber security startup Menlo Security, said the new set of vulnerabilities allow for a remote attacker to take down a server running OpenSSL resulting in a Denial of Service, but that  fortunately the scope of the DoS vulnerability is limited to version 1.0.2. Ultimately he attributes the changes in vulnerability severity to the rising number of OpenSSL deployments targeted with various exploits.

“Vulnerable servers are being exploited by cyber criminals as a launching pad for delivering malware to unsuspecting end users,” said Guruswamy. “If anything, this act is trending higher. As SSL on the Internet becomes more prevalent, enterprises are going to face a much higher risk. This is partly because most enterprises, for privacy reasons, don’t inspect SSL traffic and this is an easy channel for malware to ride on without getting noticed.”

The high and moderate-severity advisories with update recommendations are as follows:

High Severity

• ClientHello sigalgs DoS: If a client connects to an OpenSSL server and renegotiates with an invalid signature algorithm extension, a NULL pointer dereference will occur, which can be exploited in a DoS server attack. Versions affected: OpenSSL 1.0.2. Recommendation: Upgrade to version 1.0.2a.
• RSA silently downgrades to EXPORT_RSA: Previously classified as low severity, what was thought to be a rare RSA export cipher suite support vulnerability has been shown to be a far more common breach, leaving servers open to man-in-the-middle attacks. Versions affected: OpenSSL 0.9.8, 1.0.0 and 1.0.1. Recommendation: Upgrade to versions 0.9.8zd, 1.0.0p and 1.0.1k, respectively.

Moderate Severity

• Multiblock corrupted pointer: The “multiblock” performance improvement introduced in OpenSSL 1.0.2 for 64-bit x86 architecture platforms contains an implementation defect causing OpenSSL’s internal write buffer to incorrectly set to NULL when using non-blocking IO, which leaves the server vulnerable to DoS attack if a socket BIO is used. Versions affected: OpenSSL 1.0.2. Recommendation: Upgrade to version 1.0.2a.
• Segmentation fault in DTLSv1_listen: The stateless function, intended for user code looping in ClientHello processing and cookie association, contains a defect in SSL object invocation, triggering ClientHello errors and segmentation faults. Versions affected: OpenSSL 1.0.2. Recommendation: Upgrade to version 1.0.2a.
• Segmentation fault in ASN1_TYPE_cmp: Function will crash with an invalid read if an attempt is made to compare ASN.1 Boolean types, which can be used to crash certificate verification operations and exploit them using DoS attack. Versions affected: All current OpenSSL versions (0.9.8-1.0.2.) Recommendation: Upgrade to versions 0.9.8z, 1.0.0r, 1.0.1m and 1.0.2a, respectively.
• Segmentation fault for invalid PSS parameters: Signature verification routines crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters, exploitable by DoS attack in any application performing certificate verification. Versions affected: OpenSSL 1.0.2. Recommendation: Upgrade to version 1.0.2a.
• 1 structure reuse memory corruption: Reusing a structure in ASN.1 parsing (a strongly discouraged practice) may allow an attacker to cause memory corruption via an invalid write. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected, while certificate parsing in OpenSSL clients and servers are unaffected. Versions affected: All current OpenSSL versions Recommendations: Do not perform ASN.1 structure reuse; upgrade to corresponding versions.
• PKCS7 NULL pointer dereferences: PKCS#7 parsing code does not handle missing outer ContentInfo correctly, allowing an attacker to craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Versions affected: All current OpenSSL versions. Recommendation: Upgrade to corresponding versions.
• Base64 decode vulnerability: A long-existing vulnerability not included in any security advisories up until now, the base64 encoded data processing flaw allows any code path reading the data from an untrusted source to process maliciously crafted base64 data to trigger segmentation faults or memory corruption. Versions affected: OpenSSL 0.9.8, 1.0.0 and 1.0.1. Recommendation: Upgrade to versions 0.9.8za, 1.0.0m and 1.0.1h, respectively.
• DoS via reachable assert in SSLv2 servers: A malicious client can trigger an OPENSSL_assert abort command in servers supporting SSLv2, enabling export cipher suites by sending a specially crafted SSLv2 Client Master Key message. Versions affected: All current OpenSSL versions. Recommendation: Upgrade to corresponding versions.
• Empty CKE with client authorization and DHE: If client authorization is used, a server can segment fault in the event of a DHE cipher suite selection and sending of a zero-length ClientKeyExchange message, resulting in DoS attack vulnerability. Versions affected: OpenSSL 1.0.2 Recommendation: Upgrade to version 1.0.2a.

The entire OpenSSL security advisory, including the three low-severity issues and attributions for who discovered each vulnerability, can be found here.