Hold the dedicated websites, logos and mass media outbreak, the highly anticipated high-severity OpenSSL vulnerability is serious, but is no Heartbleed or POODLE.
The overhyped OpenSSL vulnerability turns out to be a denial-of-service bug that affects version 1.0.2 of the present crypto library. A dozen other vulnerabilities were also identified and patched in the recent OpenSSL update, nine of the bugs were ranked moderate and three were ranked low in the severity category. The OpenSSL project team has advised everyone to update to the latest 1.0.2a version of the software.
The denial-of-service attack can make a client or server crash with a malformed certificate, which OpenSSL’s security policy outlines as a high severity issue.
OpenSSL, the project who notified the public of upcoming update but chose not to disclose details to ensure the patch went off without a hitch notified the public in an advisory at 10 a.m. EST Thursday: “If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.”
The issue was brought to light by Stanford University student, David Ramos, reporting the OpenSSL vulnerability (CVE-2015-0291) on February 26. Ramos is said to have a private exploit for the bug, and Mark J. Cox of the Open Source Project said the team is unaware of any ongoing public exploits.
Under the OpenSSL security policy, denial-of-service bugs, memory leaks, and remote code execution vulnerabilities provoke OpenSSL to release an immediate update patching the bug. Which is another reason OpenSSL provided an advanced notification on the upcoming vulnerability, which the team has done in the past. Though, the lack of details didn’t stop media outlets and social media channels from going wild with rash speculations of another up and coming Heartbleed.
OpenSSL’s policy for classifying vulnerabilities severity was published last September, informing the public how they rank their vulnerabilities and if you need to patch. High severity along with moderately ranked vulnerabilities remain private til OpenSSL has a scheduled patch ready to release. Low severity bugs are patched in development versions of the software and are often times patched in newer versions the project is pushing for a high-severity issue. It is highly unlikely a low severity issue will probe OpenSSL to set a new release.
OpenSSL also re-categorized the FREAK vulnerability as a high severity issue, where as it was initially ranked as low severity at the time, where users were also urged to upgrade to their previous 1.0.1k, 1.0.0p, or 0.9.8zd versions depending on where clients were coming from. The bug, which allows attackers to possibly downgrade the crypto on a server, intercept encrypted traffic and easily decrypt it was quietly patched by the software team January 8. OpenSSL was initially notified of the FREAK vulnerability back in October 22.
The OpenSSL vulnerability should be patched as it is reportedly not to tough to exploit.
“It’s pretty easy to take in a cert, read it, and modify it to cause a crash,” Rich Salz, a member of the OpenSSL development team said. “On the server side, it’s riskier. They have to be asking for client certs, which doesn’t happen that often. The practice is not common, but triggering the crash is easy.”
The other eleven remaining bugs patched affected versions 1.0.1 and 1.0.2, where the high severity issue may affect fewer versions as 1.0.2 is extremely recent.
Though the OpenSSL patch is no Heartbleed it is still highly recommended you update your OpenSSL package.