Close
%%CLICK_URL_UNESC%%

Six Security Vulnerabilities Addressed in OpenSSL

 Versions 1.0.0f and 0.9.8s of the popular OpenSSL library address six security flaws, including one that allows DTLS (Datagram Transport Layer Security) communications to be decrypted.

 Versions 1.0.0f and 0.9.8s of the popular OpenSSL library, released this week, address six security flaws, including one that allows DTLS (Datagram Transport Layer Security) communications to be decrypted.

The "padding oracle attack," which can recover plaintext information encrypted with DTLS, was devised by Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (RHUL), who plan to present it at the 19th Annual Network & Distributed System Security (NDSS) Symposium in February.

The Alfardan-Paterson DTLS attack builds on previous RHUL research into CBC-based encryption weaknesses. When the CBC (Cipher-block chaining) mode of operation is used, each block of plaintext is XORed with the ciphertext of the previous block, making them dependable on each other.

Alfardan and Paterson discovered a way of recovering plaintext without knowing the initial encryption key (initialization vector) by analyzing timing differences that arise during the decryption process. The vulnerability facilitating this attack was addressed in OpenSSL versions 1.0.0f and 0.9.8s, which were released on Wednesday.

Another vulnerability addressed by these updates could result in a potential leak of non-ecrypted information when SSL 3.0 is used. The severity of the issue is limited by the special conditions required for successful exploitation and the small number of potentially exposed bytes.

One flaw that only affects the 0.9.8 OpenSSL branch stems from a policy check failure when the X509_V_FLAG_POLICY_CHECK flag is set. Its discovery is credited to core OpenSSL team member Ben Laurie and was fixed in version 0.9.8s.

Three denial-of-service conditions have also been addressed in the new releases. They were the result of an assertion failure triggered by malformed RFC 3779 data being included in certificates, a bug in the support for handshake restarts for server gated cryptography (SGC) and the lack of error checking when GOST parameters are set by TLS clients.

Users are advised to upgrade to the newly released OpenSSL versions for their corresponding platform or wait for the operating system vendors who integrate the library by default to issue updates through their regular channels.

 

Microsoft may offer some Windows 10 patch notes to enterprises

The company is mulling how to tell businesses about rapid-fire changes to the new OS

Windows 10 Home patch lets you turn off automatic app updates

Cumulative Update 5 for Windows 10 Home corrects an issue that made it impossible to disable automatic app updates through the Windows Store.

Windows 10 hits the 75-million mark

Third-party data supports Microsoft's claim that Windows 10 is off to a strong start