14 DAY TRIAL // Multiple vulnerabilities in OpenSSL were reported by security researchers from different companies, which, if exploited, could lead to leaking of information, crashing of the client or downgrade to a lower version of the security protocol.
Researchers from Google, LogMeIn, Codenomicon and NCC Group reported the issues, and some of them also provided the necessary fix.
Discovered by David Benjamin and Adam Langley from Google, one of the flaws in the OpenSSL SSL/TLS server code could allow a potential attacker to negotiate the use of the less secure TLS 1.0 instead of a higher version of the protocol.
This would occur when a badly fragmented “ClientHello” message is delivered to a server during a man-in-the-middle attack, forcing the downgrade by changing the TLS records of the client, even if the client and the server include support for a more recent version of the protocol.
Denial of service (DoS) attacks could be conducted by sending malcrafted DTLS packets that would lead to memory leak; the same could be achieved when processing DTLS handshake messages.
Worth noting is that none of the issues found by the security researchers are close to the severity of the Heartbleed bug uncovered by Codenomicon in April, this year. Even so, administrators should upgrade to the latest version of the OpenSSL library (0.9.8zb, 1.0.0n or 1.0.1i) as soon as possible.