OpenSSL Patches DoS Vulnerability

Tuesday, November 15, 2016 @ 06:11 PM gHale


OpenSSL Project released an update for the 1.1.0 branch which fixes a denial-of-service (DoS) issue.

OpenSSL 1.1.0c clears three holes, with the most serious of them being a heap-based buffer overflow related to TLS connections using *-CHACHA20-POLY1305 cipher suites. An attacker employing larger payloads can cause a DoS condition, which can result in a crash of OpenSSL.

RELATED STORIES
BIND Patched, But Still Vulnerable
OpenSSL Patches Previous Fix
OpenSSL Patches Slew of Vulnerabilities
Patched OpenSSL Hole Still an Issue

The flaw does not affect versions prior to 1.1.0 and it appears it is not exploitable beyond a DoS attack, according to the OpenSSL Project. The issue ended up discovered by Robert Święcki of the Google Security Team using the honggfuzz fuzzer.

OpenSSL developers learned about the vulnerability September 25.

In addition to that high severity bug, the update also patches a moderate severity flaw that can cause applications to crash. This issue also only affects OpenSSL 1.1.0.

OpenSSL 1.1.0c also resolves a low severity flaw, which ended up related to the Broadwell-specific Montgomery multiplication procedure. Initially it was not viewed as a security problem, but researchers showed it is exploitable in very specific circumstances.

This vulnerability also affects OpenSSL 1.0.2, but an update has not gone out for this branch because of its low severity status. The patch will be in the next 1.0.2 update.

Version 1.0.1 will no longer be supported after December 31. This version will not receive security updates after that date.



Leave a Reply

You must be logged in to post a comment.