Ouch, Six New Bugs Found in OpenSSL

After taking a pretty big hit from the HeartBleed bug OpenSSL I back in the new for an additional six bugs that put user data at risk. Security researchers have discovered a number of additional bugs in OpenSSl that can be used to allow malicious persons to spy on communication. Fortunately for the masses (about two thirds of internet sites use OpenSSL) these new bugs are not as easy to exploit as Heartbleed was.

The new flaws were disclosed when a new update for OpenSSL was pushed out the door. The patch is listed as critical and OpenSSL recommends the patch be installed as soon as possible. If you know the corporate world this could still mean that sites and technologies will be vulnerable for days or even weeks as each business validates the patch to ensure that it will not affect other systems.

One of the bugs that affects SSL/TLS looks to be a little more serious and may goad companies to run this patch through much faster. Titled CVE-2014-0224 this little bug affects all clients and servers running version 1.0.1. According to OpenSSL:

“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”

Now what is very interesting is that this bug has existed since the first release of OpenSSL and is just now being patched. It seems that after Heartblaeed the gang at OpenSSL have deiced to step up their game and review the API to make sure it is actually secure. The fact that they have found multiple critical bugs shortly after Heartbleed is a big deal and should make people think about just how secure some security products and APIs really are…

You can read the advisory here

Tell us what you think in our Forum

No comments

Leave your comment

In reply to Some User