OpenSSL Fixes POODLE

Friday, October 17, 2014 @ 04:10 PM gHale


The OpenSSL Project pushed out new releases of the open-source cryptographic library, which fix four vulnerabilities, including the POODLE (Padding Oracle On Downgraded Legacy Encryption) issue.

POODLE ended up fixed by adding support for TLS_FALLBACK_SCSV to prevent a man-in-the-middle (MitM) attacker to force a protocol downgrade. The Project also patched a bug that allowed servers to accept and complete a SSL 3.0 handshake and clients to send them even if OpenSSL ended up configured with “no-ssl3” as a build option.

RELATED STORIES
POODLE Marks Rough End to SSL 3.0
Dropbox Not Hacked, Unrelated Services Were
Bash Attack on NAS Systems
Shellshock Attacks Raging

The other two fixed bugs allow memory leaks that could end up exploited by attackers looking for a way to launch DoS attacks against servers.

The more serious of the two can end up exploited by an attacker sending a carefully crafted handshake message to the server which will prevent OpenSSL to free up to 64k of memory. Repeating this action multiple times would lead to the server exhausting available memory and, ultimately, it would make it crash altogether or cause performance degradation.

Click here to download the new OpenSSL versions, which are 1.0.1j, 1.0.0o and 0.9.8zc.



Leave a Reply

You must be logged in to post a comment.