New critical flaws discovered in OpenSSL, patch now

Pierluigi Paganini June 06, 2014

The OpenSSL Foundation has fixed a series of new vulnerabilities, two of them considered critical. Organizations are invited to apply patches asap.

The Open SSL has provided a collection of updates for its libraries to fix a series of new vulnerabilities recently reported. The exact number of vulnerabilities affecting OpenSSL is 6 and two of them are considered critical, as reported in the table below the flaws could be exploited by attackers to conduct MiTM attacks, remote code execution or to force a DoS.

OpenSSL new vulnerabilities

Recently OpenSSL was mentioned many times after the public disclosure of the critical Heartbleed bug that affected millions of users worldwide. To fix the above vulnerabilities the OpenSSL foundation has issued the patched versions 0.9.8za, 1.0.0m and 1.0.1h, which are both available on the project website.

Below the details of the flaws

SSL/TLS MITM vulnerability (CVE-2014-0224)

This vulnerability is a “CCS Injection” flaw and it resides in ChangeCipherSpec (CCS) request sent during the handshake. A hacker exploiting the flaw could perform a man-in-the-middle attack against the encrypted connection servers and clients, allowing him to decrypt, read or manipulate the data in transit. The CCS Injection attack is possible only if both server and client are vulnerable.

In order to exploit this issue, a MITM attacker would effectively do the following actions:

  • Wait for a new TLS connection, followed by the ClientHello / ServerHello handshake messages.
  • Issue a CCS packet in both the directions, which causes the OpenSSL code to use a zero length pre master secret key. The packet is sent to both ends of the connection. Session Keys are derived using a zero length pre master secret key, and future session keys also share this weakness.
  • Renegotiate the handshake parameters.
  • The attacker is now able to decrypt or even modify the packets in transit.

OpenSSL clients are vulnerable in all versions of OpenSSL.

Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.

Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

The vulnerability was discovered on May 1th 2014 and fixed by Stephen Henson of the OpenSSL core team.

DTLS recursion flaw vulnerability (CVE-2014-0221)

The attacker could exploit the vulnerability by sending an invalid DTLS handshake to an OpenSSL DTLS client, in this way he will force the code to recurse eventually crashing in a DoS attack.

DTLS classic TLS encryption over UDP used to secure voice chat, VOIP and live streams of video.

The attack is effective only for software using OpenSSL as a DTLS client:

  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

The vulnerability was reported on May 9th, 2014, Stephen Henson of the OpenSSL core team has developed the fix.

DTLS invalid fragment vulnerability (CVE-2014-0195)

The attacker sends invalid DTLS fragments to an OpenSSL DTLS client or server to cause a buffer overrun attack and run arbitrary code on the target.

Only applications using OpenSSL as a DTLS client or server affected.

  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

The vulnerability was discovered on April 23th 2014 and it was fixed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference vulnerability (CVE-2014-0198)

The attacker exploiting a flaw in the do_ssl3_write function can force a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default setting.

  • OpenSSL 1.0.0 users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1h.

The fix was developed by Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service vulnerability (CVE-2010-5298) 

The flaw could be exploited by a remote attackers to inject data across sessions or cause a denial of service. It is based on a race condition in the ssl3_read_bytes function, the vulnerability only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, also in this case this is not the default setting and it is a not a common choice.

  • OpenSSL 1.0.0 users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.

Anonymous ECDH denial of service vulnerability (CVE-2014-3470)

The advisory issued by the OpenSSL Foundation stated that TLS clients which anonymous ECDH (Elliptic Curve Diffie Hellman) ciphersuites are vulnerable to a denial of service attack.

  • OpenSSL 0.9.8 users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1h.

The bug was reported on May 28th 2014, while the fix was developed by Stephen Henson of the OpenSSL core team.

The disclosure of the above vulnerabilities comes after more that a month the diffusion of the information on the HeartBleed bug and a few days after the revelation on the Hello vulnerability in the GnuTLS, the software implementation of SSL/TLS/DTLS protocols.

Pierluigi Paganini

(Security Affairs –  OpenSSL, encryption)



you might also like

leave a comment