GlobalSign Blog

19 Mar 2015

New Security Flaws Found Within OpenSSL

In the wake of the Heartbleed vulnerability which you might remember from last April, an initiative was taken to harden the OpenSSL cryptographic library to try and limit the likelihood of similar occurrences down the line.

Monday, a member from OpenSSL project team announced that they were going to roll out a number of new OpenSSL versions that were intended to address a number of security defects, two of which was classified as "high" severity.

Today, OpenSSL released its security advisory including one that could allow an attacker to perform a denial-of-service attack against a server running the OpenSSL software (V 1.0.2). There were a total of 14 announcements in the security advisory, 2 high, 9 moderate and 3 low.

Security Issues Identified with High Severity 

Just to make it clear the two issues classified as "high" severity do not have a direct implication on the certificates themselves but rather are related to the rules which are followed by a client and server to establish a secure connection.

The issue here is within the popular open source cryptographic library called OpenSSL which is deployed widely throughout the internet.

1) CVE-2015-0291 – "ClientHello sigalgs DoS".
If a client connects to a server running OpenSSL 1.0.2 and renegotiates with an invalid signature algorithm extension, a NULL pointer dereference will happen and can potentially be exploited in a DOS type attack to the server.

This issue affects OpenSSL version: 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2a.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0291

2) CVE-2015-0204 – "RSA silently downgrades to EXPORT_RSA".
This security flaw exploits clients that support RSA export cipher suites vulnerable to MITM attacks. This security flaw was originally discovered in October of 2014 but was reported with a severity of low, it is now being reclassified as high due to the fact that recent studies (including the FREAK vulnerability discovered last month) show RSA cipher suites support is not as rare as originally thought.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

Resolution

OpenSSL users should upgrade to the latest version of OpenSSL. In addition, users should check with their software vendor for the most recent security advisories and available updates.

  • OpenSSL 1.0.2 users should upgrade to 1.0.2a
  • OpenSSL 1.0.1 users should upgrade to 1.0.1m
  • OpenSSL 1.0.0 users should upgrade to 1.0.0r
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zf

Details about the latest release and security issues can be found at OpenSSL's Security Advisory. 

Sources:

https://mta.openssl.org/pipermail/openssl-announce/2015-March/000020.html
http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security-holes/
http://www.bit-tech.net/news/bits/2015/03/17/openssl-vulnerability/1
http://www.theregister.co.uk/2015/03/10/openssl_audit/
http://thehackernews.com/2015/03/openssl-vulnerabilities-patch.html
http://securityaffairs.co/wordpress/34991/security/openssl-announce-new-releases.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
https://www.openssl.org/news/secadv_20150319.txt
https://threatpost.com/openssl-mystery-patch-is-no-heartbleed/111708
http://www.zdnet.com/article/openssl-patches-high-severity-flaw-in-latest-release/

Share this Post

Subscribe to our Blog