The OpenSSL Foundation has patched over a
dozen vulnerabilities in its cryptographic code
library, including a high severity bug that can be
exploited for denial-of-service (DoS) attacks.
OpenSSL is a widely used open-source
cryptographic library that provides encrypted
Internet connections using Secure Sockets Layer
(SSL) or Transport Layer Security
(TLS) for the
majority of websites, as well as other secure
services.
versions
1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL
versions 1.1.0a, 1.0.2i and 1.0.1u.
The Critical-rated bug ( CVE-2016-6304 ) can be
exploited by sending a large OCSP Status Request
extension on the targeted server during
connection negotiations, which causes memory
exhaustion to launch DoS attacks, the OpenSSL
Project said .
What is OCSP Protocol?
OCSP(Online Certificate Status Protocol),
supported by all modern web browsers, is a
protocol designed to perform verification and
obtain the revocation status of a digital certificate
attached to a website.
OCSP divided into client and server components.
When an application or a web browser attempts
to verify an SSL certificate, the client component
sends a request to an online responder via HTTP
protocol, which in turn, returns the status of the
certificate, valid or not valid.
Reported by Shi Lei in gis, a researcher at Chinese
security firm Qihoo 360, the vulnerability affects
servers in their default configuration even if they
do not support OCSP.
"An attacker could use the TLS extension
"TLSEXT_TYPE_status_request" and fill the
OCSP ids with continually renegotiation," the
researcher explained in a blog post .
"Theoretically, an attacker could continually
renegotiation with the server thus causing
unbounded memory growth on the server up
to 64k each time."
How to Prevent open SSL DDoS
Attack
Administrators can mitigate damage by running
' no-ocsp .' Furthermore, servers using older
versions of open SSL prior to 1.0.1g are not
vulnerable in their default configuration.
Another moderate severity vulnerability
(CVE-2016-6305) that can be exploited to launch
denial of service attacks is fixed in the patch
release, affecting open SSL 1.1.0 that was
launched less than one month ago.
The team has also resolved a total of 12 low
severity vulnerabilities in the latest versions of
open SSL, but most of them do not affect the
1.1.0 branch.
It is worth noting that the open SSL Project will
end support for open SSL version 1.0.1 on 31st
December 2016, so users will not receive any
security update from the beginning of 2017.
Therefore users are advised to upgrade in order to
avoid any security issues.
0 comments:
Post a Comment