OpenSSL Offering Patches 6 Flaws

Friday, January 6, 2012 @ 12:01 PM gHale


A new version of the OpenSSL package fixes six vulnerabilities, including a plaintext recovery attack on the DTLS implementation.

There are two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems.

RELATED STORIES
Google Looks at HTTPS Security
Google Fixes Chrome Hole, Again
Vulnerability Leader: Google
Patched Adobe Still has Victims

The most problematic of the vulnerabilities fixed in the new version is the one that enables the plaintext recovery attack, discovered by a pair of security researchers who found a way to extend the CBC padding oracle attack. The attack enables someone to exploit the problem with OpenSSL’s DTLS implementation to recover the plaintext version of an encrypted message.

“Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing,” the OpenSSL advisory said.

Among the other vulnerabilities fixed in version 1.0.0f is a problem with the way the application handles padding for SSL 3.0 records. In those records, the application would not clear the bytes it uses as padding, meaning some amount of potentially sensitive data from previous transactions could go out as part of a subsequent operation.

“OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes: those that call SSL_CTX_new with SSLv3_{server|client}_method or SSLv23_{server|client}_method. It does not affect TLS. As a result, in each record, up to 15 bytes of uninitialized memory may go out, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory,” the advisory said.

Versions 1.0.0f and 0.9.8s also include updates for several other vulnerabilities, namely a condition that allows an attacker to cause a denial-of-service on a server that supports server-gated cryptography handshake restarts; an assertion failure caused by malformed RFC 3779 data; and a D0S condition triggered by sending invalid parameters for the GOST hash function.

Users of previous versions should upgrade to OpenSSL 1.0.0f or 0.9.8s.



Leave a Reply

You must be logged in to post a comment.