OpenSSL patches denial of service vulnerabilities

By on
OpenSSL patches denial of service vulnerabilities

FREAK bug reclassified as high severity.

Users of the OpenSSL open source cryptographic library have been advised to check and patch their installations, after new vulnerabilities were discovered that can be used in denial of service attacks.

Of the vulnerabilities listed in today's OpenSSL security advisory, the CVE-2015-0291 is rated as the most dangerous, and classified as high severity.

Discovered by David Ramos at Stanford University, the bug allows a malicious OpenSSL client to crash and reboot servers with a NULL pointer derefence while renegotiating with an invalid signature algorithm extension.

The flaw can be used in denial of service attacks against servers but it only affects OpenSSL version 1.0.2.

The previously identified FREAK vulnerability has had its severity rating upgraded from low to high. The vulnerability permits attackers to trick servers into downgrading to the weak RSA export cipher suite with a low 512-bit key strength that can easily be guessed.

FREAK is now rated as high, as cryptographers have discovered that server support for the weak RSA export cipher suite from the 1990s is far more common than thought, putting users at risk of having their communications intercepted in so-called man in the middle (MITM) attacks.

OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 are affected by the RSA export cipher suite flaw.

Nine of the vulnerabilities in today's security advisory are marked as having moderate severity, and can be exploited in denial of service attacks. 

None are as severe as Heartbleed, discovered last year. Heartbleed allows attackers to silently intercept traffic between vulnerable OpenSSL installations.

OpenSSL has released patched versions of the crypto library, 1.0.0r, 1.0.1m and 1.0.2a that fix the vulnerabilties.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?