OpenSSL fixes serious denial-of-service bug, 11 other flaws

The scare of a second Heartbleed was unjustified

The mystery high-severity flaw that people were expected to be fixed in OpenSSL is no Heartbleed, but it is serious and users should update.

Earlier this week, the OpenSSL Project advised users that patches scheduled to be released Thursday will address several security flaws, one of which was classified as high severity. The announcement gave rise to speculation and some people thought the upcoming vulnerability might have wide-ranging impact, on par with the critical Heartbleed flaw disclosed last April, which affected Web servers, client software, mobile apps and even hardware appliances.

OpenSSL released versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf Thursday to address 12 flaws, but not all OpenSSL versions were affected by all 12 flaws.

The most serious of those vulnerabilities is tracked as CVE-2015-0291 and can lead to denial-of-service attacks. The issue only affects the 1.0.2 branch of OpenSSL.

"If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur," the OpenSSL Project said in a security advisory.

A remote attacker could exploit the bug to cause servers to crash, which could lead to denial of service, OpenSSL Project member Mark Cox explained in a blog post. However, the number of possible targets will be limited, because OpenSSL 1.0.2 was only released a few months ago, so many servers are likely not using it yet, he said.

OpenSSL maintains several different major versions at the same time, so users of OpenSSL 1.0.1, for example, have no reason to upgrade to 1.0.2 if they don't need the new features. They will continue to receive security patches for the 1.0.1 version.

According to Cox, David Ramos of Stanford University, who found and reported the CVE-2015-0291 vulnerability, developed a proof-of-concept exploit, but did not release it publicly.

However, Trey Ford, global security strategist at security firm Rapid7, believes that others will reverse engineer the patch and develop the attack code relatively quickly.

"Steps to push these fixes to internet exposed systems should be prioritized," he said via email.

On Thursday, the OpenSSL Project also reclassified the FREAK vulnerability as high severity. The flaw, which was publicly disclosed at the beginning of March, could allow man-in-the-middle attackers to downgrade the security of SSL connections and then crack the encryption keys protecting them.

The flaw was quietly patched in OpenSSL in January, but it was classified as low severity at the time because it can only be used to attack connections to servers that support an outdated cipher suite known as RSA export, a condition that was thought to be rare.

However, recent studies have shown that support for RSA export cipher suites is far more common than previously believed, which is why the vulnerability has been reclassified as high severity, the OpenSSL Project said.

The new OpenSSL patches also address eight moderate-severity flaws, some of which can also be used for denial-of-service attacks under certain conditions, as well as three low severity issues.

Because its announcement of an upcoming high severity vulnerability generated confusion, the project might change the way in which it classifies flaws.

"We need another security classification; HIGH scared everyone needlessly," said Rich Salz, an OpenSSL Project member on Twitter. "We'll update the policy soon."

There have been previous instances of critical flaws in OpenSSL, so by now CISOs and IT security teams should have a refined process in place for dealing with them, said Cris Thomas, strategist at Tenable Network Security, via email. "It should be a simple matter of following the procedures you developed based on the previous instances."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchessecurityRapid7patch managementencryptionTenable Network SecurityOpenSSL ProjectExploits / vulnerabilities

More about Rapid7RSAStanford UniversityTenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place