OpenSSL Patches Bug Offered in Fix

Monday, January 23, 2012 @ 11:01 AM gHale


A patch for a new bug in OpenSSL introduced in an earlier fix of other issues is now available.

OpenSSL developers released versions 1.0.0g and 0.9.8t to address a denial of service issue (DoS) introduced by one of the six fixes included in the version released earlier this month.

RELATED STORIES
OpenSSL Offering Patches 6 Flaws
Google Looks at HTTPS Security
Google Fixes Chrome Hole, Again
Vulnerability Leader: Google
Patched Adobe Still has Victims

The problem came from the fix for a critical vulnerability in the CBC (“Cipher block chaining”) encryption mode which enabled plaintext recovery of OpenSSL’s implementation of DTLS (Datagram TLS).

The advisory said the DoS flaw only affects users using DTLS applications that use OpenSSL 1.0.0f and 0.9.8s.

The developers credit Antonio Martin of Cisco Systems for discovering the bug and preparing the fix for it. Source code for the corrected versions is available to download.

Earlier this month, a new version of the OpenSSL package fixed six vulnerabilities, including a plaintext recovery attack on the DTLS implementation.

There were two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems.

The most problematic of the vulnerabilities fixed in the new version is the one that enables the plaintext recovery attack, discovered by a pair of security researchers who found a way to extend the CBC padding oracle attack. The attack enables someone to exploit the problem with OpenSSL’s DTLS implementation to recover the plaintext version of an encrypted message.



Leave a Reply

You must be logged in to post a comment.