iTnews
  • Home
  • News
  • Technology
  • Security

OpenSSL users urged to patch high-severity holes

By Juha Saarinen on May 4, 2016 9:28AM
OpenSSL users urged to patch high-severity holes

Could be used for MitM attacks, remote code execution.

OpenSSL users are being urged to apply patches released overnight by the maintainers of the open source cryptography framework that contain fixes for two high-severity holes.

The open source OpenSSL is used to cryptographically protect sensitive web and email traffic using the transport layer security protocol, underpinning the majority of communications conducted online.

Last night it was revealed a memory corruption bug in the OpenSSL Abstract Syntax Notation One (ASN.1) encoder feature that was fixed in April last year has come back to haunt users when combined with a second, independent bug.

Given the common vulnerabilities and exposures index CVE-2016-2108, the combination bug can be abused to cause memory corruption in applications that use X.509 digital certificates that trigger ASN.1 encoding.

Attackers may be able to remotely cause out-of-bounds memory writes with the bug and execute code on vulnerable servers.

A second "padding oracle attack" bug has also been patched by OpenSSL. CVE-2016-2107 is similarly rated as high severity, and can be used for man-in-the-middle interception attacks that decrypt traffic flowing across a connection.

According to security researcher Thomas Ptacek, the bug is difficult to exploit and will only give up small amounts of data per attack.

He attributed the hole to insufficient understanding of how programming features interact with each other, and said there could be further, similar bugs in the future.

"What's interesting about crypto to me is the prospect that every common crypto flaw has second- and third- order variants that we will not find out about for many years, the same way we've barely now got a grip on the interaction between C integers and buffer counting," Ptacek wrote.

OpenSSL advised users on version 1.0.1 to upgrade to 1.0.1t and those on 1.0.2 to move to 1.0.2h.

Four low-severity bugs are also taken care of with the latest OpenSSL update.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cryptographyopensslsecuritytlsssl

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
May 4 2016
9:28AM
0 Comments

Related Articles

  • Post-quantum cryptography algorithms named
  • OpenSSL subject to remote memory corruption
  • Java 15 introduced a cryptographic vulnerability
  • OpenSSL squarely rooted by cert parsing bug
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Aussie Broadband nears end of NBN PoI fibre rollout

Aussie Broadband nears end of NBN PoI fibre rollout

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Student details, photos exposed in University of WA data breach

Student details, photos exposed in University of WA data breach

Defence, DEWR drop $160m on Microsoft software, Azure

Defence, DEWR drop $160m on Microsoft software, Azure

Digital Nation

Case Study: Swinburne University overhauls student management system
Case Study: Swinburne University overhauls student management system
COVER STORY: What happens when Google changes its algorithm?
COVER STORY: What happens when Google changes its algorithm?
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Multicloud business drivers at MLC Life Insurance
Personalisation strategies need to be built from the ground up
Personalisation strategies need to be built from the ground up
COVER STORY: Multiple cloud models make security more complex
COVER STORY: Multiple cloud models make security more complex
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.