OpenSSL patches denial of service vulnerabilities

Users of the OpenSSL open source cryptographic library have been advised to check and patch their installations, after new vulnerabilities were discovered that can be used in denial of service attacks.

Of the vulnerabilities listed in today's OpenSSL security advisory, the CVE-2015-0291 is rated as the most dangerous, and classified as high severity.

Discovered by David Ramos at Stanford University, the bug allows a malicious OpenSSL client to crash and reboot servers with a NULL pointer derefence while renegotiating with an invalid signature algorithm extension.

The flaw can be used in denial of service attacks against servers but it only affects OpenSSL version 1.0.2.

The previously identified FREAK vulnerability has had its severity rating upgraded from low to high. The vulnerability permits attackers to trick servers into downgrading to the weak RSA export cipher suite with a low 512-bit key strength that can easily be guessed.

FREAK is now rated as high, as cryptographers have discovered that server support for the weak RSA export cipher suite from the 1990s is far more common than thought, putting users at risk of having their communications intercepted in so-called man in the middle (MITM) attacks.

OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 are affected by the RSA export cipher suite flaw.

Nine of the vulnerabilities in today's security advisory are marked as having moderate severity, and can be exploited in denial of service attacks. 

None are as severe as Heartbleed, discovered last year. Heartbleed allows attackers to silently intercept traffic between vulnerable OpenSSL installations.

OpenSSL has released patched versions of the crypto library, 1.0.0r, 1.0.1m and 1.0.2a that fix the vulnerabilties.