The OpenSSL fix was in, but in reality it made things worse.
That is because a patch included in the OpenSSL updates released last week introduced a critical vulnerability that could lead to arbitrary code execution, the OpenSSL Project said.
OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u released last week to fix a plethora of security holes. One of the issues affecting OpenSSL 1.1.0 is a low severity denial-of-service (DoS) bug related to excessive allocation of memory in the tls_get_message_header() function.
The flaw, reported by Shi Lei of Qihoo 360 and identified as CVE-2016-6307, was “low severity” because it can only be exploited if certain conditions end up met.
The OpenSSL Project rolled out a fix in version 1.1.0a, but Google Security Engineer Robert Swiecki soon discovered fix created a critical use-after-free vulnerability.
“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code,” OpenSSL Project said in a blog post.
The latest problem ended up fixed with the release of OpenSSL 1.1.0b.
OpenSSL developers also released version 1.0.2j, which patches a missing CRL sanity check issue affecting only version 1.0.2i (CVE-2016-7052).
The OpenSSL Project said by quickly releasing a patch for the critical vulnerability, users will update their installations directly to the newest versions instead of the ones made available last week.