Important OpenSSL Patch – 6 More Vulnerabilities


So after the Heartbleed vulnerability in OpenSSL that turned the World upside down, there has a been a lot of focus on the codebase and the manner in which it was written. They’ve raised a bunch of money, an audit is underway and there has even been a fairly serious branch named LibreSSL (who are currently whining about not being told about this set of vulns).

OpenSSL Vulnerability

So yah if you have any Linux servers terminating SSL connections with OpenSSL (or LibreSSL) you really need to patch them now and reload any services using the library (or safer just to reboot if you’re not sure).

The good part this time is none of these are particularly easy to exploit, unlike Heartbleed – which could pretty much be abused by anyone.

The OpenSSL team today pushed out fixes for six security vulnerabilities in the widely used crypto library.

These holes include a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.

A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers. DTLS is more or less TLS encryption over UDP rather than TCP, and is used to secure live streams of video, voice chat and so on.

However, an SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.

Users and administrators are advised to check their systems for updates; patched builds of OpenSSL are available from the major Linux distros, for instance.
Early CCS MITM logo, source: http://ccsinjection.lepidum.co.jp

The CVE-2014-0224 MITM bug has existed since the very first release of OpenSSL, according to Masashi Kikuchi, the Japanese security researcher who unearthed the flaw.


Let’s hope they don’t do a TrueCrypt and die after the audit because the code is so bad, they don’t have the resources to fix it. Some people are saying the money being raised should go straight to LibreSSL..but well, the World isn’t a huge fan of Theo and his OpenBSD ways – so that seems unlikely.

I’m sure there’s going to be a whole lot more flaws exposed in the months to come, this is just the beginnings. Let’s just hope that none are leaked (and critical) before the fixes and patches are made public.

The DTLS flaw has also given security experts the fear. “The OpenSSL DTLS vulnerability dates from April, but was reported today. It may allow remote-code execution (OpenSSL DTLS is still a nightmare),” noted computer-science professor Matthew Green in a Twitter update.

“This OpenSSL vuln is an example of the kind of subtle protocol bug that LibreSSL’s (admirable) fork is not likely to fix.”

The OpenSSL.org advisory comes just weeks after the discovery of the infamous Heartbleed vulnerability. Prof Green reckons none of the bugs would be easy to exploit – the direct opposite of the password-leaking Heartbleed hole. The other four fixes in today’s batch deal with denial-of-service-style vulnerabilities.

Nicholas J. Percoco, veep of strategic services at vulnerability management firm Rapid7, said a wide variety of servers and other internet-connected systems will need to be updated to guard against attackers exploiting these now-fixed bugs.

“The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent,” Percoco explained.

“This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed encrypted between a client – for example, an end user – and a server – eg, an online bank.

I’m honestly surprised (and a little sad) that’s it has taken this long for there to a big chunk of pressure on OpenSSL to clean up their code and be secure as it’s driving a large part of the Internet.

If you haven’t already done it – go and apply the OpenSSL Patch now.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


Comments are closed.