OpenSSL subject to remote memory corruption

By

Researcher discovery sparks vulnerability controversy.

A security researcher has sparked controversy in the OpenSSL community, claiming he has found a security vulnerability in a version released last week.

OpenSSL subject to remote memory corruption

Guido Vranken blogged that OpenSSL 3.0.4, which shipped on June 21, has a memory corruption he claims “can be trivially triggered by an attacker”.

That version of OpenSSL was released to address CVE-2022-1292, a moderate-rated vulnerability related to input sanitisation and needed because a previous fix didn't work.

According to Vranken, the bug he reported only affects systems using processors that implement AVX512 (Intel’s Advanced Vector Extensions 512) support, and it doesn’t affect the OpenSSL 1.1.1 branch, BoringSSL or LibreSSL.

In an overwhelmingly technical post describing how he found the potential memory corruption, Vranken wrote: “If RCE exploitation is possible this makes it worse than Heartbleed in an isolated severity assessment, though the potential blast radius is limited by the fact that many people are still using the 1.1.1 tree rather than 3, libssl has forked into LibreSSL and BoringSSL, the vulnerability has only existed for a week (HB existed for years) and an AVX512-capable CPU is required.”

There is, however, doubt about whether it’s a vulnerability or a mere crash.

As OpenSSL Foundation developer Tomáš Mráz commented at Github: “I do not think this is a security vulnerability. It is just a serious bug making 3.0.4 release unusable on AVX512 capable machines.”

Developer Alex Gaynor responded: “I'm not sure I understand how it's not a security vulnerability. It's a heap buffer overflow that's triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake).”

While a fix is available via GitHub and is promised in OpenSSL 3.0.5, a date hasn’t yet been put on that release.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?