RealTime IT News

Multiple Vulnerabilities Found in OpenSSL

The OpenSSL Project has released new versions of its popular implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to plug multiple security vulnerabilities.

According to a security advisory issued by the OpenSSL project, the vulnerabilities could allow malicious people to cause a denial-of-service or to gain system access.

All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay are affected. The project said any application that makes use of OpenSSL's ASN1 library to parse untrusted data was also susceptible.

Independent research firm Secunia has tagged a "highly critical" rating on the flaws.

ASN1, or Abstract Syntax Notation One is the language used to define the way data is transmitted across different communication systems. The OpenSSL Project said ASN1 encodings which are rejected by the parser because they are invalid may cause a deallocation of memory.

It is not yet known if this hole could be exploited to execute arbitrary code or merely to cause a denial-of-service.

The security holes were detected by the U.K.-based National Infrastructure Security Coordination Centre (NISCC) which prepared a test suite to check the operation of SSL/TLS software when presented with a wide range of malformed client certificates.

The Center's tests found that if OpenSSL was used in debug mode, an invalid public key in a certificate may cause the verify code to crash. This could also lead to a DoS against systems running in debug mode.

A separate error could also cause OpenSSL to parse and handle client certificates even when OpenSSL isn't configured to do this, the Project warned.

The OpenSSL Project is a collaborative effort to develop a commercial-grade and open-source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1).