The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: OpenSSL

OpenSSL Releases Patch for High-Severity Bug that Could Lead to RCE Attacks

OpenSSL Releases Patch for High-Severity Bug that Could Lead to RCE Attacks

July 06, 2022Ravie Lakshmanan
The maintainers of the OpenSSL project have released patches to address a  high-severity bug  in the cryptographic library that could potentially lead to remote code execution under certain scenarios. The  issue , now assigned the identifier  CVE-2022-2274 , has been described as a case of heap memory corruption with RSA private key operation that was introduced in OpenSSL version 3.0.4 released on June 21, 2022. First released in 1998, OpenSSL is a general-purpose  cryptography library  that offers open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, enabling users to generate private keys, create certificate signing requests ( CSRs ), install SSL/TLS certificates. "SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue," the advisory  noted . Calling it a "serious bug in the RSA implementation
OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability

OpenSSL to Release Security Patch for Remote Memory Corruption Vulnerability

June 28, 2022Ravie Lakshmanan
The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems. The issue has been identified in OpenSSL  version 3.0.4 , which was released on June 21, 2022, and impacts x64 systems with the  AVX-512  instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected. Security researcher Guido Vranken, who disclosed details of the bug,  said  it "can be triggered trivially by an attacker." Although the shortcoming has been  fixed , no patches have been made available as yet. OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security ( TLS ) protocol. Advanced Vector Extensions ( AVX ) are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD. "I do not think this is a security vulnerability," Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread. "
QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

March 31, 2022Ravie Lakshmanan
Taiwanese company QNAP this week revealed that a selected number of its network-attached storage (NAS) appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library. "An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS," the company  said  in an advisory published on March 29, 2022. "If exploited, the vulnerability allows attackers to conduct denial-of-service attacks." Tracked as  CVE-2022-0778  (CVSS score: 7.5), the issue relates to a bug that arises when parsing security certificates to trigger a denial-of-service condition and remotely crash unpatched devices. QNAP, which is currently investigating its line-up, said it affects the following operating system versions – QTS 5.0.x and later QTS 4.5.4 and later QTS 4.3.6 and later QTS 4.3.4 and later QTS 4.3.3 and later QTS 4.2.6 and later QuTS hero h5.0.x and later QuTS hero h4.5.4 and later, and QuTScloud c5.0.x To date, t
New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers

New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers

March 16, 2022Ravie Lakshmanan
The maintainers of OpenSSL have  shipped patches  to resolve a high-severity security flaw in its software library that could lead to a denial-of-service (DoS) condition when parsing certificates. Tracked as  CVE-2022-0778  (CVSS score: 7.5), the issue stems from parsing a malformed certificate with invalid explicit  elliptic-curve  parameters, resulting in what's called an "infinite loop." The flaw resides in a function called BN_mod_sqrt() that's used to compute the modular square root. "Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack," OpenSSL said in an advisory published on March 15, 2022. "The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic-curve parameters." While there is no evidence that the vulnerability has been exploited in the w
QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

September 01, 2021Ravie Lakshmanan
Network-attached storage (NAS) appliance maker QNAP said it's  currently   investigating  two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable. Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the  weaknesses  concern a high-severity buffer overflow in SM2 decryption function and a buffer overrun issue when processing ASN.1 strings that could be abused by adversaries to run arbitrary code, cause a denial-of-service condition, or result in disclosure of private memory contents, such as private keys, or sensitive plaintext — CVE-2021-3711  - OpenSSL SM2 decryption buffer overflow CVE-2021-3712  - Read buffer overruns processing ASN.1 strings "A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the c
OpenSSL Releases Patches for 2 High-Severity Security Vulnerabilities

OpenSSL Releases Patches for 2 High-Severity Security Vulnerabilities

March 26, 2021Ravie Lakshmanan
The maintainers of OpenSSL have released a fix for two high-severity security flaws in its software that could be exploited to carry out denial-of-service (DoS) attacks and bypass certificate verification. Tracked as CVE-2021-3449 and CVE-2021-3450 , both the  vulnerabilities  have been resolved in an update (version OpenSSL 1.1.1k) released on Thursday. While CVE-2021-3449 affects all OpenSSL 1.1.1 versions, CVE-2021-3450 impacts OpenSSL versions 1.1.1h and newer. OpenSSL is a software library consisting of cryptographic functions that implement the Transport Layer Security protocol with the goal of securing communications sent over a computer network. According to an advisory published by OpenSSL, CVE-2021-3449 concerns a potential DoS vulnerability arising due to NULL pointer dereferencing that can cause an OpenSSL TLS server to crash if in the course of renegotiation the client transmits a malicious "ClientHello" message during the  handshake  between the server and
Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

January 23, 2017Swati Khandelwal
It's more than two and half years since the discovery of the critical OpenSSL Heartbleed vulnerability , but the flaw is still alive as it appears that many organizations did not remediate properly to the serious security glitch. It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers i.e. half a million servers at the time of its discovery in April 2014. However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have already passed, according to a new report published today on Shodan, a search engine that scans for vulnerable devices. Over 199,500 Systems Still Vulnerable to Heartbleed Heartbleed (CVE-2014-0160) was a serious bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allowed attackers to read portions of the affected server's memory, potentially revealing users data that the server isn't intended to re
OpenSSL Releases Patch For "High" Severity Vulnerability

OpenSSL Releases Patch For "High" Severity Vulnerability

November 10, 2016Mohit Kumar
As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software. The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites. The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL. The severity of the flaw is rated "High" and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack. The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash. "Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0
Critical DoS Flaw found in OpenSSL — How It Works

Critical DoS Flaw found in OpenSSL — How It Works

September 23, 2016Swati Khandelwal
The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks. OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services. The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u. The Critical-rated bug ( CVE-2016-6304 ) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project said . What is OCSP Protocol? OCSP (Online Certificate Status Protocol), supported by all modern web browsers, is a protocol designed to perform verification and obtain the revocation status of a digital
High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic

High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic

May 05, 2016Mohit Kumar
OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic . OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. One of the high-severity flaws, CVE-2016-2107 , allows a man-in-the-middle attacker to initiate a " Padding Oracle Attack " that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI. A Padding Oracle flaw weakens the encryption protection by allowing attackers to repeatedly request plaintext data about an encrypted payload content. The Padding Oracle flaw ( exploit code ) was discovered by Juraj Somorovsky using his own developed tool c
DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk

DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk

March 01, 2016Swati Khandelwal
A new deadly security vulnerability has been discovered in OpenSSL that affects more than 11 Million modern websites and e-mail services protected by an ancient, long deprecated transport layer security protocol, Secure Sockets Layer (SSLv2). Dubbed DROWN , the highly critical security hole in OpenSSL was disclosed today as a low-cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details… ...and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday. Here's what the security researchers said: "We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hour
Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate

Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate

July 09, 2015Mohit Kumar
The mysterious security vulnerability in the widely used OpenSSL code library is neither HeartBleed nor FREAK, but it's critical enough to be patched by sysadmins without any delay. OpenSSL Foundation released the promised patch against a high severity vulnerability in OpenSSL versions 1.0.1n and 1.0.2b, resolving a certificate forgery issue in the implementations of the crypto protocol. The critical vulnerability could allow man-in-the-middle attackers to impersonate cryptographically protected websites, virtual private networks, or e-mail servers, and snoop on encrypted Internet traffic. The vulnerability, ( CVE-2015-1793 ), is due to a problem lies in the certificate verification process. An error in its implementation skipped some security checks on new, untrusted certificates. By exploiting this vulnerability, an attacker could circumvent certificate warnings that enable them to force applications into treating an invalid certificate as a legitimate Certificat
OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday

OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday

July 07, 2015Mohit Kumar
Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July. OpenSSL is a widely used open-source software library that provides encrypted Internet connections using SSL/TLS for majority of websites, as well as other secure services. The new versions of OpenSSL crypto library, versions 1.0.2d and 1.0.1p , address a single security vulnerability classified as "high severity," the OpenSSL Project Team announced on Monday. There isn't more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn't affect the 1.0.0 or 0.9.8 series. "The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," developer Mark J Cox announced in a mailing list note published yesterday. "These releases will be
OpenSSL to Patch High Severity Vulnerability this Week

OpenSSL to Patch High Severity Vulnerability this Week

March 18, 2015Swati Khandelwal
The OpenSSL Foundation is set to release a handful of patches for undisclosed security vulnerabilities in its widely used open source software later this week, including one that has been rated " high " severity. In a mailing list note published last night, Matt Caswell of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a , 1.0.1m , 1.0.0r , and 0.9.8zf will be released Thursday. " These releases will be made available on 19th March ," Caswell wrote. " They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity. " OpenSSL is an open-source implementation of the SSL and TLS protocols. It's a technology that's widely used by almost every websites to encrypt web sessions, even the Apache web server that powers almost half of the websites over the Internet utilizes OpenSSL. Further details on the mystery security vulnerabilities ( CVE-2015-02
'FREAK' — New SSL/TLS Vulnerability Explained

'FREAK' — New SSL/TLS Vulnerability Explained

March 04, 2015Mohit Kumar
Another new widespread and disastrous SSL/TLS vulnerability has been uncovered that for over a decade left Millions of users of Apple and Android devices vulnerable to man-in-the-middle attacks on encrypted traffic when they visited supposedly 'secured' websites, including the official websites of the White House, FBI and National Security Agency. Dubbed the " FREAK " vulnerability ( CVE-2015-0204 ) - also known as Factoring Attack on RSA-EXPORT Keys - enables hackers or intelligence agencies to force clients to use older, weaker encryption i.e. also known as the export-grade key or 512-bit RSA keys. FREAK vulnerability discovered by security researchers of French Institute for Research in Computer Science and Automation (Inria) and Microsoft, resides in OpenSSL versions 1.01k and earlier, and Apple's Secure Transport. 90s WEAK EXPORT-GRADE ENCRYPTION Back in 1990s, the US government attempted to regulate the export of products utilizing "
Google Releases 'nogotofail' Network Traffic Security Testing Tool

Google Releases 'nogotofail' Network Traffic Security Testing Tool

November 06, 2014Wang Wei
Google introduced a new security tool to help developers detect bugs and security glitches in the network traffic security that may leave passwords and other sensitive information open to snooping. The open source tool, dubbed as Nogotofail , has been launched by the technology giant in sake of a number of vulnerabilities discovered in the implementation of the transport layer security, from the most critical Heartbleed bug in OpenSSL to the Apple's gotofail bug to the recent POODLE bug in SSL version 3. The company has made the Nogotofail tool available on GitHub, so that so anyone can test their applications, contribute new features to the project, provide support for more platforms, and help improve the security of the internet. Android security engineer Chad Brubaker said that the Nogotofail main purpose is to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and Secure Sockets Layer (SSL) encry
Android 4.3 and Earlier versions Vulnerable to Critical Code-Execution Flaw

Android 4.3 and Earlier versions Vulnerable to Critical Code-Execution Flaw

June 27, 2014Swati Khandelwal
A critical code-execution vulnerability almost affecting everyone those are not running the most updated version of Google Android , i.e. Android version 4.4 also known as KitKat. After nine months of vulnerability disclosure to the Android security team, researchers of the Application Security team at IBM have finally revealed all the possible details of a serious code-execution vulnerability that still affects the Android devices running versions 4.3 and earlier, which could allow attackers to exfiltrate sensitive information from the vulnerable devices. " Considering Android's fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure ," said Roee Hay, a security research group leader at IBM. The researchers found the stack buffer overflow vulnerability that resides in the Android's KeyStore storage service, which according to the Android developers' website is the service code running in Androi
Google Unveils BoringSSL, Another Flavor of OpenSSL

Google Unveils BoringSSL, Another Flavor of OpenSSL

June 21, 2014Mohit Kumar
The open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data, came to everybody's attention following the Heartbleed vulnerability , a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server's memory, potentially revealing users data, that the server did not intend to reveal. Now, the biggest Internet giant Google is launching a new fork of OpenSSL, which they dubbed as BoringSSL, developed by its own independent work with the code. " We have used a number of patches on top of OpenSSL for many years, " Adam Langley, a cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. " Some of them have been accepted into the main OpenSSL repository, but many of them don't mesh with OpenSSL's guarantee of API and ABI
OpenSSL Vulnerable to Man-in-the-Middle Attack and Several Other Bugs

OpenSSL Vulnerable to Man-in-the-Middle Attack and Several Other Bugs

June 05, 2014Mohit Kumar
Remember OpenSSL Heartbleed vulnerability ? Several weeks ago, the exposure of this security bug chilled the Internet, revealed that millions of websites were vulnerable to a flaw in the OpenSSL code which they used to encrypt their communications. Now once again the OpenSSL Foundation has issued software updates to patch six new vulnerabilities, and two of them are critical. MAN-IN-THE-MIDDLE ATTACK (CVE-2014-0224) First critical vulnerability (CVE-2014-0224) in OpenSSL is " CCS Injection " - resides in ChangeCipherSpec (CCS) request sent during the handshake that could allow an attacker to perform a man-in-the-middle attack against the encrypted connection servers and clients.  By exploiting this vulnerability an attacker could intercept an encrypted connection which allows him to decrypt, read or manipulate the data. But the reported flaw is exploitable only if both server and client are vulnerable to this issue. According to the OpenSSL advisory , " An attacker
Beware Of Fake 'HeartBleed Bug Remover Tool', Hijacks System with Malware

Beware Of Fake 'HeartBleed Bug Remover Tool', Hijacks System with Malware

May 28, 2014Wang Wei
I am considering that you all must have read my last article on OpenSSL Heartbleed , a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server's memory, potentially revealing users data, that the server did not intend to reveal. The Heartbleed vulnerability made headlines around the world and my last article explains everything about probably the biggest Internet vulnerability in recent history, but still some readers are not aware of its nature, otherwise they would not have been a victim of the spam campaigns. Spammers are very smart on gaining from every opportunity they get, so this time they are taking advantage of the infamous Heartbleed bug and frighten the users into installing Anti-Heartbleed Software onto their systems, which is obviously a malware. The researchers at Symantec have unearthed a spam campaign targeting people by sending spam emails that warns them their
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.