Remote Code Execution Bug Patched in OpenSSL

New versions of the OpenSSL toolkit have been released in order to address a critical vulnerability that can lead to denial of service and remote arbitrary code execution.

In a security advisory published today, the OpenSSL security team notes that versions 0.9.8f through 0.9.8o, 1.0.0 and 1.0.0a are affected by the new vulnerability, which is identified as CVE-2010-3864.

Vulnerability research vendor Secunia rates the issue as moderately critical and describes it as a race condition in the OpenSSL TLS server extension.

"A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

"The vulnerability is caused due to a race condition within the TLS extension parsing code, which can be exploited to cause a heap-based buffer overflow," the company explains.

Fortunately, the attack surface is limited because successful exploitation can only be achieved on multi-threaded TLS servers that use the OpenSSL internal caching mechanism.

This, however, is not the case of Apache HTTPD, the most popular Web server software, which doesn't make use of OpenSSL internal caching.

Users of the OpenSSL 0.9.x  branch are advised to update to OpenSSL 0.9.8p, while 1.0.x users should deploy OpenSSL 1.0.0b.

Manual patching instructions are also available for people who, for various reasons, can't immediately upgrade to the newly released versions.

The OpenSSL Project credits Rob Hulswit with reporting the vulnerability and Stephen Henson of the OpenSSL core team for developing the patch.

OpenSSL is a popular open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It also includes a basic cryptographic library.

The toolkit supports a significant number of ciphers and hash functions and is distributed under an Apache-like license that allows both commercial and non-commercial uses.