Your one-stop web resource providing safety and security information to manufacturers

OpenSSL received fixes for a slew of vulnerabilities that could lead to leaking of information, crashing of the client or downgrade to a lower version of the security protocol.

One of the flaws in the OpenSSL SSL/TLS server code, which ended up discovered by David Benjamin and Adam Langley from Google, could allow a potential attacker to negotiate the use of the less secure TLS 1.0 instead of a higher version of the protocol.

Heartbleed Issues Still Exist
VMware Users Remain at Risk to Heartbleed
New OpenSSL Flaw Found after 16 Years
OpenSSL Security Advisory Released

This would occur when a badly fragmented “ClientHello” message delivers to a server during a man-in-the-middle attack, forcing the downgrade by changing the TLS records of the client, even if the client and the server include support for a more recent version of the protocol.

Denial of service (DoS) attacks could end up conducted by sending malcrafted DTLS packets that would lead to memory leak; the same could happen when processing DTLS handshake messages.

Schneider Bold

While researchers from Google, LogMeIn, Codenomicon and NCC Group reported the most recent issues, none of the vulnerabilities come close to the severity of the Heartbleed bug uncovered by Codenomicon in April.

Having said that, administrators should upgrade to the latest version of the OpenSSL library (0.9.8zb, 1.0.0n or 1.0.1i) as soon as possible.

Pin It on Pinterest

Share This