Important OpenSSL Patch – 6 More Vulnerabilities


So after the Heartbleed vulnerability in OpenSSL that turned the World upside down, there has a been a lot of focus on the codebase and the manner in which it was written. They’ve raised a bunch of money, an audit is underway and there has even been a fairly serious branch named LibreSSL (who are currently whining about not being told about this set of vulns).

OpenSSL Vulnerability

So yah if you have any Linux servers terminating SSL connections with OpenSSL (or LibreSSL) you really need to patch them now and reload any services using the library (or safer just to reboot if you’re not sure).

The good part this time is none of these are particularly easy to exploit, unlike Heartbleed – which could pretty much be abused by anyone.

The OpenSSL team today pushed out fixes for six security vulnerabilities in the widely used crypto library.

These holes include a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.

A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers. DTLS is more or less TLS encryption over UDP rather than TCP, and is used to secure live streams of video, voice chat and so on.

However, an SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.

Users and administrators are advised to check their systems for updates; patched builds of OpenSSL are available from the major Linux distros, for instance.
Early CCS MITM logo, source: http://ccsinjection.lepidum.co.jp

The CVE-2014-0224 MITM bug has existed since the very first release of OpenSSL, according to Masashi Kikuchi, the Japanese security researcher who unearthed the flaw.


Let’s hope they don’t do a TrueCrypt and die after the audit because the code is so bad, they don’t have the resources to fix it. Some people are saying the money being raised should go straight to LibreSSL..but well, the World isn’t a huge fan of Theo and his OpenBSD ways – so that seems unlikely.

I’m sure there’s going to be a whole lot more flaws exposed in the months to come, this is just the beginnings. Let’s just hope that none are leaked (and critical) before the fixes and patches are made public.

The DTLS flaw has also given security experts the fear. “The OpenSSL DTLS vulnerability dates from April, but was reported today. It may allow remote-code execution (OpenSSL DTLS is still a nightmare),” noted computer-science professor Matthew Green in a Twitter update.

“This OpenSSL vuln is an example of the kind of subtle protocol bug that LibreSSL’s (admirable) fork is not likely to fix.”

The OpenSSL.org advisory comes just weeks after the discovery of the infamous Heartbleed vulnerability. Prof Green reckons none of the bugs would be easy to exploit – the direct opposite of the password-leaking Heartbleed hole. The other four fixes in today’s batch deal with denial-of-service-style vulnerabilities.

Nicholas J. Percoco, veep of strategic services at vulnerability management firm Rapid7, said a wide variety of servers and other internet-connected systems will need to be updated to guard against attackers exploiting these now-fixed bugs.

“The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent,” Percoco explained.

“This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed encrypted between a client – for example, an end user – and a server – eg, an online bank.

I’m honestly surprised (and a little sad) that’s it has taken this long for there to a big chunk of pressure on OpenSSL to clean up their code and be secure as it’s driving a large part of the Internet.

If you haven’t already done it – go and apply the OpenSSL Patch now.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


Comments are closed.