/>
X

OpenSSL fixes six security holes

The most serious flaw is a DTLS plaintext recovery attack that has already been publicly documented.
ryan-naraine.jpg
Written by Ryan Naraine, Contributor on

OpenSSL has released an alert to warn of at least six security vulnerabilities affecting users of the open source implementation of the SSL and TLS protocols.

The vulnerabilities have been fixed in OpenSSL versions 1.0.0f and 0.9.8s.

The most serious flaw is a DTLS plaintext recovery attack that is publicly known (.pdf):

Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing.

The latest OpenSSL updates also fixes a policy check failure that leads to a double-free bug and a separate issue where OpenSSL prior to 1.0.0f and 0.9.8s fails to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes.

"As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory," the open-source group said in an advisory.

Related

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news
screen-shot-2021-07-07-at-4-01-12-pm.png

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

Business
How to stop spam messages on your iPhone with this almost-secret hidden switch
messages.jpg

How to stop spam messages on your iPhone with this almost-secret hidden switch

Security
How to clean any flat screen TV or monitor
sample-image-16-9-red.jpg

How to clean any flat screen TV or monitor

TVs