On Sept 22, the OpenSSL Project released patches to fix 14 vulnerabilities in OpenSSL, including versions 1.1.0a, 1.0.2i and 1.0.1u. One of these patched flaws includes a high severity vulnerability that can be exploited for denial-of-service (DoS) attacks. Given the severity rating, the announcement will encourage users to update installations as soon as possible before attackers begin to exploit the flaw and crash servers. OpenSSL Vunerability Leads DoS Attack on Memory Exhaustion
OpenSSL is a popular cryptographic library project that uses open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services.
According to OpenSSL’s security advisory on Sept 22, the high-severity vulnerability (CVE-2016-6304) affects the Online Certificate Status Protocol (OCSP) verification process. OCSP is used for getting an X.509 digital certificate’s revocation status to maintain security of servers and other network resources. An attacker can exploit the flaw by sending a large OCSP Status Request extension to a OpenSSL 1.0.2 server and renegotiate with an invalid signature algorithms extension, which would result in a NULL pointer dereference occurring. This leads to memory exhaustion or unbounded memory growth, and cause a DoS attack against the server.
However, the 1.1.0a update patch for a memory corruption flaw (CVE-2016-6307) in the open-source library created a dangling pointer flaw (CVE-2016-6309). OpenSSL released the 1.0.2j version patch for the new flaw on Monday.
“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved,” the Sept 26 security advisory stated. “Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location.”
OpenSSL users are advised to update their installations immediately to versions 1.1.0a, 1.0.2j and 1.0.1u.