OpenSSL Security Advisory Released

Monday, June 9, 2014 @ 07:06 PM gHale

OpenSSL released new versions last week that mitigate several additional vulnerabilities discovered since the April OpenSSL vulnerability caused by the HeartBleed bug, according to a report on ICS-CERT.

These vulnerabilities ended up discovered by various researchers including: Masashi Kikuchi of Lepidum Co. Ltd., Imre Rad of Search-Lab Ltd., Jüri Aedla, Felix Gröbert, and Ivan Fratrić at Google.

Highway Sign Software Vulnerability
COPA-DATA Improper Input Validation
Triangle MicroWorks Fixes DoS Hole
Cogent Fixes 3 DataHub Vulnerabilities

More information about these remotely exploitable vulnerabilities and the new versions that mitigate them are in the OpenSSL Security Advisory and in the CERT/CC vulnerability note.

Exploits that target some of these vulnerabilities are publicly available.

ICS-CERT created an OpenSSL affected/unaffected products list that specifies which vendors, products, and product versions affected by the OpenSSL HeartBleed vulnerability. This document also contains a list of vendors, products, and product versions that evaluated their products and have asserted their products do not suffer the effects of the OpenSSL HeartBleed vulnerability. Owners and operators of control systems might use this list to determine whether their equipment may also contain a version of OpenSSL affected by these newly reported vulnerabilities. This document will get updates on an as needed basis.

Successful exploits of these vulnerabilities may allow an attacker to decrypt or modify traffic between a vulnerable client and server, cause a denial of service (DoS) condition, or remotely execute arbitrary code.

The OpenSSL Project is an ongoing volunteer-driven collaborative multinational development effort for the Open Source toolkit, implementing the secure sockets layer (SSL) and transport layer security (TLS) protocols, as well as a general purpose cryptography library. The Open Source toolkit sees action in some secure communication devices used in ICS networks.

For more details about each of these vulnerabilities, please see the OpenSSL Security Advisory posted to the web site June 5.

OpenSSL has made the following updates available:
• OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
• OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
• OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h

Leave a Reply

You must be logged in to post a comment.