OpenSSL squarely rooted by cert parsing bug

By on
OpenSSL squarely rooted by cert parsing bug

LibreSSL issues patches as well.

A bug in the very popular open source OpenSSL cryptography library can be abused to cause an infinite loop which causes a denial of service condition, security researchers have found.

Google Project Zero security researchers David Benjamin and Tavis Ormandy discovered the bug, and reported it to the OpenSSL project maintainers on February 25.

Rated as high severity, the bug can be triggered by a malicious digital certificate with invalid explicit curve parameters, OpenSSL said in its advisory.

"The BN_mod_sqrt() function, which computes a modular square root, contains
a bug that can cause it to loop forever for non-prime moduli," the OpenSSL project said.

The advisory says the infinite loop can cause denial-of-service for TLS servers consuming client certificates; hosting providers taking certificates or private keys from customers; certificate authorities parsing certification requests from subscribers; and anything else which parses ASN.1 elliptic curve parameters.

OpenSSL versions 1.0.2, 1.1.1 and 3.0 are affected by the bug, and users are advised to upgrade to version 1.0.2zd for premium extended support customers, 1.1.1n and 3.0.2 respectively.

The LibreSSL cryptographic library that's based on OpenSSL, and maintained by OpenBSD, has also updated its software.

Versions 3.3.6, 3.4.3, and 3.5.1, patched against the infinite loop denial of service condition, will appear on OpenBSD mirrors soon, LibreSSL maintainers advised.


Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?