Your one-stop web resource providing safety and security information to manufacturers

The OpenSSL Project pushed out new releases of the open-source cryptographic library, which fix four vulnerabilities, including the POODLE (Padding Oracle On Downgraded Legacy Encryption) issue.

POODLE ended up fixed by adding support for TLS_FALLBACK_SCSV to prevent a man-in-the-middle (MitM) attacker to force a protocol downgrade. The Project also patched a bug that allowed servers to accept and complete a SSL 3.0 handshake and clients to send them even if OpenSSL ended up configured with “no-ssl3” as a build option.

POODLE Marks Rough End to SSL 3.0
Dropbox Not Hacked, Unrelated Services Were
Bash Attack on NAS Systems
Shellshock Attacks Raging

The other two fixed bugs allow memory leaks that could end up exploited by attackers looking for a way to launch DoS attacks against servers.

The more serious of the two can end up exploited by an attacker sending a carefully crafted handshake message to the server which will prevent OpenSSL to free up to 64k of memory. Repeating this action multiple times would lead to the server exhausting available memory and, ultimately, it would make it crash altogether or cause performance degradation.

Cyber Security

Click here to download the new OpenSSL versions, which are 1.0.1j, 1.0.0o and 0.9.8zc.

Pin It on Pinterest

Share This