The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: openssl vulnerability

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug
January 23, 2017Swati Khandelwal
It's more than two and half years since the discovery of the critical OpenSSL Heartbleed vulnerability , but the flaw is still alive as it appears that many organizations did not remediate properly to the serious security glitch. It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers i.e. half a million servers at the time of its discovery in April 2014. However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have already passed, according to a new report published today on Shodan, a search engine that scans for vulnerable devices. Over 199,500 Systems Still Vulnerable to Heartbleed Heartbleed (CVE-2014-0160) was a serious bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allowed attackers to read portions of the affected server's memory, potentially revealing users data that the server isn't intended to re

OpenSSL Releases Patch For "High" Severity Vulnerability

OpenSSL Releases Patch For "High" Severity Vulnerability
November 10, 2016Mohit Kumar
As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software. The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites. The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL. The severity of the flaw is rated "High" and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack. The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash. "Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0

Critical DoS Flaw found in OpenSSL — How It Works

Critical DoS Flaw found in OpenSSL — How It Works
September 23, 2016Swati Khandelwal
The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks. OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services. The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u. The Critical-rated bug ( CVE-2016-6304 ) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project said . What is OCSP Protocol? OCSP (Online Certificate Status Protocol), supported by all modern web browsers, is a protocol designed to perform verification and obtain the revocation status of a digital

High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic

High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic
May 05, 2016Mohit Kumar
OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic . OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. One of the high-severity flaws, CVE-2016-2107 , allows a man-in-the-middle attacker to initiate a " Padding Oracle Attack " that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI. A Padding Oracle flaw weakens the encryption protection by allowing attackers to repeatedly request plaintext data about an encrypted payload content. The Padding Oracle flaw ( exploit code ) was discovered by Juraj Somorovsky using his own developed tool c

DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk

DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk
March 01, 2016Swati Khandelwal
A new deadly security vulnerability has been discovered in OpenSSL that affects more than 11 Million modern websites and e-mail services protected by an ancient, long deprecated transport layer security protocol, Secure Sockets Layer (SSLv2). Dubbed DROWN , the highly critical security hole in OpenSSL was disclosed today as a low-cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details… ...and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday. Here's what the security researchers said: "We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hour

Critical OpenSSL Flaw Allows Hackers to Decrypt HTTPS Traffic

Critical OpenSSL Flaw Allows Hackers to Decrypt HTTPS Traffic
January 29, 2016Mohit Kumar
The OpenSSL Foundation has released the promised patch for a high severity vulnerability in its cryptographic code library that let attackers obtain the key to decrypt HTTPS-based communications and other Transport layer security (TLS) channels. OpenSSL is an open-source library that is the most widely used in applications for secure data transfers. Most websites use it to enable Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. However, after serious security vulnerabilities were discovered in OpenSSL over the last few years, the crypto library has been under much investigation by security researchers. The latest bugs affect OpenSSL versions 1.0.1 and 1.0.2, which has been patched in new releases of OpenSSL, versions 1.0.1r and 1.0.2f . The team has patched two separate vulnerabilities in OpenSSL. The " high severity " bug, identified as CVE-2016-0701 , addresses issues in the implementations of the Diffie-Hellman key exchang

Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate

Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate
July 09, 2015Mohit Kumar
The mysterious security vulnerability in the widely used OpenSSL code library is neither HeartBleed nor FREAK, but it's critical enough to be patched by sysadmins without any delay. OpenSSL Foundation released the promised patch against a high severity vulnerability in OpenSSL versions 1.0.1n and 1.0.2b, resolving a certificate forgery issue in the implementations of the crypto protocol. The critical vulnerability could allow man-in-the-middle attackers to impersonate cryptographically protected websites, virtual private networks, or e-mail servers, and snoop on encrypted Internet traffic. The vulnerability, ( CVE-2015-1793 ), is due to a problem lies in the certificate verification process. An error in its implementation skipped some security checks on new, untrusted certificates. By exploiting this vulnerability, an attacker could circumvent certificate warnings that enable them to force applications into treating an invalid certificate as a legitimate Certificat

OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday

OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday
July 07, 2015Mohit Kumar
Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July. OpenSSL is a widely used open-source software library that provides encrypted Internet connections using SSL/TLS for majority of websites, as well as other secure services. The new versions of OpenSSL crypto library, versions 1.0.2d and 1.0.1p , address a single security vulnerability classified as "high severity," the OpenSSL Project Team announced on Monday. There isn't more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn't affect the 1.0.0 or 0.9.8 series. "The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," developer Mark J Cox announced in a mailing list note published yesterday. "These releases will be
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.