Multiple Vulnerabilities Found in OpenSSL

The OpenSSL Project has released new
versions of its popular implementation of the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols to plug multiple security
vulnerabilities.

According to a security advisory
issued by the OpenSSL project, the vulnerabilities could allow malicious
people to cause a denial-of-service or to gain system
access.

All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
versions of SSLeay are affected. The project said any application that
makes use of OpenSSL’s ASN1 library to parse untrusted data was also
susceptible.

Independent research firm Secunia has tagged a “highly critical” rating
on the flaws.

ASN1, or Abstract Syntax Notation One is the language used to define the
way data is transmitted across different communication systems. The OpenSSL
Project said ASN1 encodings which are rejected by the parser because they
are invalid may cause a deallocation of memory.

It is not yet known if this hole could be exploited to execute arbitrary
code or merely to
cause a denial-of-service.

The security holes were detected by the U.K.-based National
Infrastructure Security Coordination Centre (NISCC) which prepared a test
suite to check the operation of SSL/TLS software when presented
with a wide range of malformed client certificates.

The Center’s tests found that if OpenSSL was used in debug mode, an
invalid public key in a
certificate may cause the verify code to crash. This could also lead to a
DoS against systems running in debug mode.

A separate error could also cause OpenSSL to parse and handle client
certificates even when OpenSSL isn’t configured to do this, the Project
warned.

The OpenSSL Project is a collaborative effort to develop a
commercial-grade and open-source toolkit implementing the Secure Sockets
Layer (SSL v2/v3) and Transport Layer Security (TLS v1).

News Around the Web