OpenSSL Fixes Six Flaws in the Secure Sockets Layer Protocol Tool

The OpenSSL team released updated versions addressing various memory allocation, padding and denial-of-service bugs in the open-source protocol.

OpenSSL has fixed six security vulnerabilities and updated both 1.0.0 and 0.9.8 versions of the open-source implementation of the Secure Sockets Layer protocol.

The vulnerabilities fixed in versions 1.0.0.f and 0.9.8s include a plain text recovery attack that is publicly known, policy check failures and problems with buffers not being cleared before being reused, according to a security advisory released Jan. 4 on Four of the flaws affect both versions, according to the advisory.

The most serious flaw, if exploited, could enable an efficient plain text recovery attack against the OpenSSL implementation of Datagram Transport Layer Security (DTLS) protocol, which protects server-client communications from tampering or forgery. The issue was discovered and publicized recently by Nadhem Alfardan and Kenny Paterson, security researchers from the Information Security Group at Royal Holloway at the University of London. The cipher-block chaining-based encryption weakness allows adversaries to exploit timing differences that arise during decryption processing and recover the plain text version of an encrypted message without needing the initial encryption key.

The pair is scheduled to demonstrate their "padding Oracle attack" at the Network and Distributed System Security Symposium in February. This cryptographic issue was present in both versions of OpenSSL and has been fixed.

Developers also fixed the issue in the way OpenSSL padded the SSL 3.0 records in CBC mode. In this mode, the entire plain text block has to be encrypted, and if it's incomplete, padded to fill up the block before being encrypted. It turned out that the bytes being padded weren't being initialized, so potentially sensitive data from a previous transaction was left behind and being encrypted with the new data. The uninitialized contents of memory could contain anything, including the plain text of other connections to the server. This issue affected both clients and servers that accept SSL 3.0 handshakes.

"As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory," the advisory said.

However, the severity of the issue is limited because most OpenSSL servers use a single memory buffer for a given connection and the initial content is usually public handshake data. And the exposed memory buffer is already filled with non-sensitive data, according to the advisory.

The policy check failure flaw affected only the 0.9.8 branch of OpenSSL. Discovered by the OpenSSL team, the memory allocation bug is triggered only if a specific policy check flag is set and can result in code crashes, which then can also lead to a denial of service (DoS).

Three other vulnerabilities that can lead to a DoS condition were also addressed. One issue, in which an assertion failure can be triggered by malformed RFC 3779 data being included in certificates, is not part of a standard implementation, according to the advisory. In the standard release of OpenSSL, support for RFC 3779 is disabled by default.

Other DoS bugs included problems in handshake restarts for server-gated cryptography and the lack of error-checking to catch invalid parameters for the GOST hash function.