OpenSSL Closes Security Holes

Monday, April 23, 2012 @ 09:04 AM gHale


There is a security hole in the current version of the OpenSSL open source library.

The errors occur when parsing ASN1 data via the asn1_d2i_read_bio() function, said Tavis Ormandy from the Google Security Team.

RELATED STORIES
Python Updates Hash Collision
OpenSSL Not Completely Secure
Oracle Patches DoS Hole
OpenSSL Patches Bug Offered in Fix

The issue affects applications that process external X.509 certificates or public RSA keys, according to the official OpenSSL advisory and Ormandy. However, the remaining information about the affected applications, and the potential consequences, is pretty cryptic.

The OpenSSL developers have released versions 1.0.1a, 1.0.0i and 0.9.8v to fix the “ASN1 BIO” problem but the advisories don’t state whether the update is urgent. The OpenSSL team talks about a “potentially exploitable vulnerability” and Ormandy provides further details by saying the issue “can cause memory corruption,” but neither say anything about the potential consequences.

At least the OpenSSH project’s own SSH server remains unaffected. Sshd verified RSA keys with the custom openssh_RSA_verify() function has already helped avoid eight exploitable bugs in the ASN1 parser. Fixed OpenSSL packages for Ubuntu and OpenBSD are available, while fixes for Red Hat Enterprise Linux and Fedora are on the way.



Leave a Reply

You must be logged in to post a comment.