BEST OF THE WEB

OpenSLL fixes potential DoS bugs

OpenSSL needs to be patched again.

The open source project team said Thursday that version 1.0.2 of its toolkit for implementing SSL/TLS protocol has a serious bug in it that could lead to a denial of service attack. OpenSSL users should upgrade to version 1.0.2a as soon as possible.

In a security advisory the team said that if a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.

Also on Thursday the PCI Security Standards Council was notified by a security researcher of a cross-site scripting vulnerability on pcisecuritystandards.org., a problem that could have been embarassing to an organization focused on payment security “We identified a minor vulnerability in the public documents library on the PCI SSC website that was addressed within minutes,” council communications manager Laura Johnson acknowledged in an email to IT World Canada. “No data of any kind was at risk.”

This OpenSLL issue was was reported Feb. 26 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.

The version 1.0.2a upgrade also fixes other problems. OpenSSL 1.0.2 introduced the “multiblock” performance improvement for 64 bit x86 architecture platforms that support AES NI instructions. According to the security notice a defect in the implementation of “multiblock” can cause OpenSSL’s internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack.

The upgrade also fixes a problem that could crash certificate verification operations, and one that could cause memory corruption.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web