Important OpenSSL Patch – 6 More Vulnerabilities

Keep on Guard!


So after the Heartbleed vulnerability in OpenSSL that turned the World upside down, there has a been a lot of focus on the codebase and the manner in which it was written. They’ve raised a bunch of money, an audit is underway and there has even been a fairly serious branch named LibreSSL (who are currently whining about not being told about this set of vulns).

OpenSSL Vulnerability

So yah if you have any Linux servers terminating SSL connections with OpenSSL (or LibreSSL) you really need to patch them now and reload any services using the library (or safer just to reboot if you’re not sure).

The good part this time is none of these are particularly easy to exploit, unlike Heartbleed – which could pretty much be abused by anyone.

The OpenSSL team today pushed out fixes for six security vulnerabilities in the widely used crypto library.

These holes include a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.

A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers. DTLS is more or less TLS encryption over UDP rather than TCP, and is used to secure live streams of video, voice chat and so on.

However, an SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.

Users and administrators are advised to check their systems for updates; patched builds of OpenSSL are available from the major Linux distros, for instance.
Early CCS MITM logo, source: http://ccsinjection.lepidum.co.jp

The CVE-2014-0224 MITM bug has existed since the very first release of OpenSSL, according to Masashi Kikuchi, the Japanese security researcher who unearthed the flaw.


Let’s hope they don’t do a TrueCrypt and die after the audit because the code is so bad, they don’t have the resources to fix it. Some people are saying the money being raised should go straight to LibreSSL..but well, the World isn’t a huge fan of Theo and his OpenBSD ways – so that seems unlikely.

I’m sure there’s going to be a whole lot more flaws exposed in the months to come, this is just the beginnings. Let’s just hope that none are leaked (and critical) before the fixes and patches are made public.

The DTLS flaw has also given security experts the fear. “The OpenSSL DTLS vulnerability dates from April, but was reported today. It may allow remote-code execution (OpenSSL DTLS is still a nightmare),” noted computer-science professor Matthew Green in a Twitter update.

“This OpenSSL vuln is an example of the kind of subtle protocol bug that LibreSSL’s (admirable) fork is not likely to fix.”

The OpenSSL.org advisory comes just weeks after the discovery of the infamous Heartbleed vulnerability. Prof Green reckons none of the bugs would be easy to exploit – the direct opposite of the password-leaking Heartbleed hole. The other four fixes in today’s batch deal with denial-of-service-style vulnerabilities.

Nicholas J. Percoco, veep of strategic services at vulnerability management firm Rapid7, said a wide variety of servers and other internet-connected systems will need to be updated to guard against attackers exploiting these now-fixed bugs.

“The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent,” Percoco explained.

“This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed encrypted between a client – for example, an end user – and a server – eg, an online bank.

I’m honestly surprised (and a little sad) that’s it has taken this long for there to a big chunk of pressure on OpenSSL to clean up their code and be secure as it’s driving a large part of the Internet.

If you haven’t already done it – go and apply the OpenSSL Patch now.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


Comments are closed.