The OpenSSL team released updated versions addressing various memory allocation, padding and denial-of-service bugs in the open-source protocol.
OpenSSL has fixed six
security vulnerabilities and updated both 1.0.0 and 0.9.8 versions of the
open-source implementation of the Secure Sockets Layer protocol.
The vulnerabilities fixed in
versions 1.0.0.f and 0.9.8s include a plain text recovery attack that is
publicly known, policy check failures and problems with buffers not being
cleared before being reused, according to a security advisory released
Jan. 4 on OpenSSL.org. Four of the flaws affect both versions, according to
The most serious flaw, if
exploited, could enable an efficient plain text recovery attack against the
OpenSSL implementation of Datagram Transport Layer Security (DTLS) protocol, which
protects server-client communications from tampering or forgery. The issue was
discovered and publicized recently by Nadhem Alfardan and Kenny Paterson,
security researchers from the Information Security Group at Royal Holloway at
the University of London. The cipher-block chaining-based encryption weakness
allows adversaries to exploit timing differences that arise during decryption
processing and recover the plain text version of an encrypted message without
needing the initial encryption key.
The pair is scheduled to
demonstrate their "padding Oracle attack" at the Network and
Distributed System Security Symposium in February. This cryptographic issue was
present in both versions of OpenSSL and has been fixed.
Developers also fixed the
issue in the way OpenSSL padded the SSL 3.0 records in CBC mode. In this mode,
the entire plain text block has to be encrypted, and if it's incomplete, padded
to fill up the block before being encrypted. It turned out that the bytes being
padded weren't being initialized, so potentially sensitive data from a previous
transaction was left behind and being encrypted with the new data. The
uninitialized contents of memory could contain anything, including the plain text
of other connections to the server. This issue affected both clients and
servers that accept SSL 3.0 handshakes.
"As a result, in each
record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the
SSL peer. This could include sensitive contents of previously freed
memory," the advisory said.
However, the severity of the
issue is limited because most OpenSSL servers use a single memory buffer for a
given connection and the initial content is usually public handshake data. And the
exposed memory buffer is already filled with non-sensitive data, according to
The policy check failure
flaw affected only the 0.9.8 branch of OpenSSL. Discovered by the OpenSSL
team, the memory allocation bug is triggered only if a specific policy check
flag is set and can result in code crashes, which then can also lead to a
denial of service (DoS).
Three other vulnerabilities
that can lead to a DoS condition were also addressed. One issue,
in which an assertion failure can be triggered by malformed RFC 3779 data being
included in certificates, is not part of a standard implementation, according
to the advisory. In the standard release of OpenSSL, support for RFC 3779 is
disabled by default.
Other DoS bugs included
problems in handshake restarts for server-gated cryptography and the lack of
error-checking to catch invalid parameters for the GOST hash function.