The mysterious OpenSSL vulnerability has been patched

No, it doesn’t have a name like Heartbleed or POODLE, it was “just” a denial-of-service. “Just” is by no means something to be ignored, but it is less dangerous with the previous vulnerabilities.

All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.

According to OpenSSL’s Security Policy, a “high severity issue”  includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS (like this one), a significant leak of server memory (Heartbleed), and remote code execution.

OpenSSL promises that such issues “will be kept private and will trigger a new release of all supported versions”. They will attempt to keep the time these issues are private to a minimum, but the goal would be “no longer than a month” where this is something that can be controlled, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.

The OpenSSL vulnerability has been reported on February 26th and the fix was released yesterday (March 19th), so well within the limit.

If this was no surprise, this advisory comes with something everyone was expecting: the FREAK vulnerability, which was initially categorized as “low severity”, has been reclassified as “high severity”. This was initially classified low because it was originally thought that servers with RSA export cipher suite support were rare: a client was only vulnerable to a MITM attack against a server which supports an RSA export cipher suite. Recent studies have shown that RSA export cipher suites support is far more common.

The patch comes also with fixes for a dozen or so vulnerabilities categorized as “moderate” and “low” severity.

Our recommendation is to update to version 1.0.2a immediately. Now that the vulnerability is public, it is to be expected that cybercriminals will try to exploit it.


© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close