Vulnerabilities fixed in the OpenSSL library

OpenSSL is a widely-used open source software implementation for encryption and SSL/TLS protocols. The latest release addresses nine vulnerabilities.

Four vulnerabilities are related to processing DTLS protocol messages. The vulnerabilities may lead to a denial-of-service condition by causing a crash or consuming excessive amounts of memory.

One vulnerability (CVE-2014-3511) allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version.

One vulnerability (CVE-2014-5139) may trigger a denial-of-service condition in a TLS client processing a crafted handshake packet in relation to the SRP (Secure Remote Protocol) authentication scheme.

Another vulnerability (CVE-2014-3512) affecting users of SRP may cause an overrun of an internal buffer.

Vulnerability coordination

CVE-2014-5139 was discovered by Joonas Kuorilehto and Riku Hietamäki of the Codenomicon CROSS project with the TLS Client Suite 1.2. NCSC-FI would like to thank Codenomicon, the OpenSSL project, CERT/CC and JPCERT/CC for participating in the vulnerability coordination.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others

Target

  • Servers and server applications
  • Workstations and end-user applications
Further information +

Attack vector

  • Remote
Further information on the access vector +

Impact

  • Editing of information
  • Obtaining of confidential information
  • Denial-of-service attack
  • Security bypass
Further information on the impact +

Remediation

  • Software update patch
Further information on the remediation +

Vulnerable software:

  • OpenSSL 1.0.1h and earlier versions
  • OpenSSL 1.0.0m and earlier versions
  • OpenSSL 0.9.8za and earlier versions

Possible solutions and restrictive measures:

Upgrade the vulnerable software in accordance with the vendor's instructions. For users of Linux distributions, the best way to update is the update services provided by the distributor. Services using the vulnerable library must be restarted after the library update.

Further information:

Contact Information
NCSC-FI Vulnerability Coordination can be conacted as follows:
Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #802104] in the subject line.

Telephone:
+358 295 390 230
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Post:
Vulnerability Coordination
FICORA / NCSC-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at

https://www.viestintavirasto.fi/attachments/tietoturva/pgpavaimet/CERT-FI_Vulncoord.txt

The NCSC-FI vulnerability coordination policy is available at

https://www.viestintavirasto.fi/en/informationsecurity/ficorasinformationsecurityservices/vulnerabilitycoordination.html

Update history


Key words: Information security, Vulnerability coordination, Vulnerabilities


LinkedIn Print