OpenSSL Patches Previous Fix

Wednesday, September 28, 2016 @ 11:09 AM gHale

The OpenSSL fix was in, but in reality it made things worse.

That is because a patch included in the OpenSSL updates released last week introduced a critical vulnerability that could lead to arbitrary code execution, the OpenSSL Project said.

OpenSSL Patches Slew of Vulnerabilities
Patched OpenSSL Hole Still an Issue
OpenSSL Patches Vulnerabilities
Warning Software to Protect User

OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u released last week to fix a plethora of security holes. One of the issues affecting OpenSSL 1.1.0 is a low severity denial-of-service (DoS) bug related to excessive allocation of memory in the tls_get_message_header() function.

The flaw, reported by Shi Lei of Qihoo 360 and identified as CVE-2016-6307, was “low severity” because it can only be exploited if certain conditions end up met.

The OpenSSL Project rolled out a fix in version 1.1.0a, but Google Security Engineer Robert Swiecki soon discovered fix created a critical use-after-free vulnerability.

“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code,” OpenSSL Project said in a blog post.

The latest problem ended up fixed with the release of OpenSSL 1.1.0b.

OpenSSL developers also released version 1.0.2j, which patches a missing CRL sanity check issue affecting only version 1.0.2i (CVE-2016-7052).

The OpenSSL Project said by quickly releasing a patch for the critical vulnerability, users will update their installations directly to the newest versions instead of the ones made available last week.