OpenSSL fixes six security holes

OpenSSL fixes six security holes

Summary: The most serious flaw is a DTLS plaintext recovery attack that has already been publicly documented.

TOPICS: Security

OpenSSL has released an alert to warn of at least six security vulnerabilities affecting users of the open source implementation of the SSL and TLS protocols.

The vulnerabilities have been fixed in OpenSSL versions 1.0.0f and 0.9.8s.

The most serious flaw is a DTLS plaintext recovery attack that is publicly known (.pdf):

Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing.

The latest OpenSSL updates also fixes a policy check failure that leads to a double-free bug and a separate issue where OpenSSL prior to 1.0.0f and 0.9.8s fails to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes.

"As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory," the open-source group said in an advisory.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • RE: OpenSSL fixes six security holes

    Sorry, but this can't possibly be true. As many here proclaim, Open Source software has been vetted by "many eyes" and thus is always free of bugs and vulnerabilities
    <br>Great to see these important bugs getting fixed in such an important component used widely throughout the internet. Let's just hope it gets picked up and deployed ASAP.