Two denial-of-service risks have been mitigated

Oct 16, 2014 08:07 GMT  ·  By

On Wednesday, OpenSSL cryptographic library received an update that mitigated the recently disclosed POODLE attack targeting SSL 3.0 and eliminated three other security concerns, one of them with “high” severity rating.

Security experts from Google devised a new attack that can be used to extract plain text information from encrypted sessions; this is possible because of insufficient verification of the block cipher padding in SSL 3.0 and by forcing a secure protocol downgrade to SSL using the man-in-the-middle technique.

They named it POODLE, from Padding Oracle On Downgraded Legacy Encryption and it received the common identifier CVE-2014-3566.

OpenSSL shuts door to possible denial-of-service (DoS) risk

The crypto-library is an open-source implementation of the SSL and TLS security protocols and is extremely widespread since it is free and facilitates secure communication.

The most severe of the bugs addressed in the latest revision of OpenSSL is found in the parsing code of the Secure Real-Time Transfer Protocol (SRTP) extension, and it can be leveraged by an attacker to create a memory leak; this could further be exploited for a DoS attack.

According to the advisory, a carefully crafted handshake message could prevent OpenSSL from freeing up to 64KB of memory. Repeated action leads to exhausting the memory and disrupting the service.

The vulnerability became known to the library maintainers on September 26 thanks to an issue and fix developed by the LibreSSL project. Closer investigation of the matter by the OpenSSL team made possible the discovery of the bug (CVE-2014-3513).

SSL fallback protection added

Mitigation of the POODLE attack has also been implemented, and now the TLS_FALLBACK_SCSV (TLS Fallback Signaling Cipher Suite Value) mechanism protects against protocol downgrade attacks.

“Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols,” the bug is explained in the advisory.

To prevent this kind of risk, clients are advised to update to the latest OpenSSL version. Some web browsers have already added the SSL fallback prevention mechanism, such as Google Chrome, while in Firefox disabled SSL is expected to become default in a future release.

Until this is done, Mozilla provides its users with an extension that turns SSL 3.0 off.

In Internet Explorer, the use of the protocol can be disabled from the Advanced tab of the Internet Options menu.

Medium and low impact glitches removed

Apart from the SRTP extension memory leak, a second one was repaired by the OpenSSL team. It touches on session ticket integrity verification, which, if failed, prevents freeing up memory.

Marked with a medium impact, the risk is creating a denial-of-service condition by sending an increased number of invalid session tickets.

The least severe of the problems addressed in the latest OpenSSL release refers to the “no SSL3” option, which was incomplete and even if enabled, “servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them,” the advisory says.

Credits for discovering the problem go to Akamai Technologies, which also collaborated in producing a fix.