OpenSSL Patches Security Vulnerabilities

Early this morning, OpenSSL released four patches for new security vulnerabilities found in OpenSSL versions 1.0.1 and 0.9.8. These patches fix a total of eight vulnerabilities, two of which are rated moderate and the others are considered low risk.

According to the OpenSSL advisory, none of the vulnerabilities allow for remote code execution; however, the two moderate vulnerabilities could lead to a Denial of Service attack.

None of these bugs affect SSL Certificates and no action related to certificate management is required.

What’s the Impact?

Both of the moderate vulnerabilities affect DTLS users.

In the first vulnerability, if an attacker sends a crafted DTLS message to a vulnerable server it will cause a segmentation fault in OpenSSL because of a NULL pointer reference. This could lead to a Denial of Service attack.

In the second vulnerability, an attacker could also cause a Denial of Service attack by sending DTLS records.

“A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion,” the advisory says.

The rest of the vulnerabilities are rated as low risk.

What Should I Do?

OpenSSL users should patch their systems, particularly systems using DTLS. We recommend patching any systems that use DTLS as soon as patches are available for your distribution.

Source code is available for the OpenSSL patches here.