New OpenSSL Vulnerabilities Rediscovered and Fixed Four Years After Initial Report

The issues were first reported years ago, but got ignored

  OpenSSL
OpenSSL seems to be the source of numerous problems, especially now that people have started to look a lot more closely at the source. Yet another bug has been discovered in the OpenSSL package and, to make things worse, it's a four-year-old problem that has remained unsolved until now.

OpenSSL seems to be the source of numerous problems, especially now that people have started to look a lot more closely at the source. Yet another bug has been discovered in the OpenSSL package and, to make things worse, it's a four-year-old problem that has remained unsolved until now.

The online community has just realized that one of the most important components of the Internet infrastructure, OpenSSL, has been grossly ignored by the developers, which has led to some big problems, like the Heartbleed bug.

Now that OpenSSL has been put under the microscope, developers have started to find other problems and, in this case, to rediscover issues that were reported years ago, but that have been ignored.

OpenBSD developer Ted Unangst was looking over the OpenSSL source to find ways of dealing with the Heartbleed issue when he discovered that the package featured a number of exploit mitigation countermeasures. When he disabled those countermeasures, OpenSSL ceased to function.

“OpenSSL uses a custom freelist for connection buffers because long ago and far away, malloc was slow. Instead of telling people to find themselves a better malloc, OpenSSL incorporated a one-off LIFO freelist. You guessed it. OpenSSL misuses the LIFO freelist. In fact, the bug I’m about to describe can only exist and go unnoticed precisely because the freelist is LIFO.”

“This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator,” said developer Ted Unangst.

It turns out that the fix for this problem is not that complicated and a new patch has been issued by the developers, which should reach most of the Linux distributions pretty soon. OpenSSL has already been patched in Ubuntu 14.04 LTS and all the other supported OSes from Canonical.

The security notification for Ubuntu says that OpenSSL incorrectly handled memory in the ssl3_read_bytes() function. A remote attacker could have used this issue to possibly cause OpenSSL to crash, resulting in a denial of service.

This is not as bad as the Heartbleed bug, but it shows just how much the development around OpenSSL has been lacking. Someone noticed this problem four years ago, but nothing has been done about it. OpenSSL is now being looked at from all possible angles, but who knows how many other major issues lurk ignored in other major packages.

2 Comments