14 DAY TRIAL // OpenSSL has been updated to new versions as its maintainer repaired a set of eight security glitches, most of them graded with low severity.
The risks they pose range from denial-of-service attacks, changing the fingerprint certificate, client authorization without verification message for a DH (Diffie-Hellman) certificate, client accepting the use of a temporary RSA or a handshake that leads to removing the forward secrecy from the ciphersuite.
Moderate severity flaws get fixed
Two of the flaws have been marked with moderate severity, one of them referring to a memory leak in dtls1_buffer_record, while the other caused a DTLS segmentation fault in dtls1_get_record. Exploiting any of them would result in a denial of service (DoS) condition.
“A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack,” reads the advisory for the former glitch identified as CVE-2015-0206.
In the case of the latter, tracked as CVE-2014-3571, certain conditions have to be met for the memory leak to occur. The possibility of an attack leveraging it would require the potential attacker to send repeated DTLS (datagram transport layer security) records that have the same sequence number but intended for the next epoch. Exhausting memory would lead to DoS.
Multiple researchers disclosed the glitches
All vulnerabilities described in the advisory affect versions 1.0.1 and 1.0.0 of OpenSSL, while some of them impact only the 0.9.8 revisions.
However, users are advised to update their OpenSSL builds to the latest releases: 1.0.1k, 1.0.0p and 0.9.8zd.
Credit for finding and reporting the weaknesses go to researchers from Cisco Systems, PROSECCO team at INRIA, Codenomicon, and Google.
It must be noted that development for the older branches (1.0.0 and 0.9.8) will be discontinued in the last day of 2015. As such, users should start thinking about the implications of moving the services that rely on OpenSSL to the current latest release.
Upgrading as soon as possible would ensure the necessary time for fixing up the quirks that may appear as a result of the operation.