University of Southern California

More OpenSSL Vulnerabilities Reported

Posted on by mbordas

Security researchers have recently identified several vulnerabilities in the OpenSSL encryption library in addition to the widely publicized Heartbleed bug (see https://it-security.usc.edu/2014/04/09/openssl-heartbleed-bug​ for more information about Heartbleed).

System Administrators within USC’s IT units should complete the action items (fixes) summarized below.

#1) Most serious: SSL/TLS MITM vulnerability (CVD-2014-0224) affects traffic between clients and servers that use OpenSSL, if the version of the library on the server is 1.0.1 or newer.

Action Items (these action items also address DTLS recursion flaw (CVE-2014-0221), DTLS invalid fragment vulnerability(CVE-2014-0195), and Anonymous ECDH denial of service (CVE-2014-3470)):

  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h

#2) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) affects only OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and is not common.

Action items:

  • OpenSSL 1.0.0 users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1h.

#3) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and is not common.

Action items:

  • OpenSSL 1.0.0 users should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1h.

#4) Other issues
OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076, the attack described in the paper “Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack” reported by Yuval Yarom and Naomi Benger. This issue was previously fixed in OpenSSL 1.0.1g.

An overview of these vulnerabilities is available in the following article at PC World: http://www.pcworld.com/article/2360560/new-openssl-vulnerability-puts-encrypted-communications-at-risk-of-spying.html. For a more technical description, see the OpenSSL Security Advisory at https://www.openssl.org/news/secadv_20140605.txt.

 

Comments are closed.