OpenSSL Patched After Being Hit By Two ‘Severe’ Flaws

The developers of OpenSSL, a software library used by around two-thirds of web servers to secure online communications, have patched two severe security bugs they say could allow the execution of malicious code or the decryption of login credentials.

Updates fixing the bugs were released for OpenSSL versions 1.0.1 and 1.0.2 on Tuesday.

Broad impact

The flaws are the latest to affect OpenSSL, and are of concern in part because of the library’s broad use for security web and email communications.

This prominence led security researchers in April 2014 to organise a publicity campaign around another, more severe bug known as Heartbleed to ensure system administrators applied the fix as soon as possible.

One of the bugs, given the name CVE-2016-2108, causes memory corruptions and could allow an attacker to execute malicious code on a server.

The problem is the result of two distinct flaws that separately appear minor, but when combined could render servers vulnerable to malware, researchers said.

The bug in OpenSSL’s ASN.1 encoder could be exploited using malicious digital certificates signed by trusted certificate authorities, but exploitation appears to be difficult, researchers said.

The second bug, CVE-2016-2107, is of a kind called a padding oracle flaw, which weakens the protection of encryption by allowing attackers to repeatedly request information about a payload’s content.

Decryption flaw

The bug could allow an attacker to decrypt small amounts of encrypted data if a client can be induced to send the data repeatedly, which could be sufficient for obtaining authentication data, according to developer Filippo Valsorda, who specialises in the Transport Layer Security (TLS) protocol of which OpenSSL is an implementation.

The bug can be exploited via methods such as man-in-the-middle (Mitm) attacks on connections using an AES-CBC cipher on servers supporting the AES-NI instruction set, meaning it could affect up to one in four secure connections, Valsorda said.

“If a client uses AES-CBC to connect to a server with AES-NI support, a Mitm can recover at least 16 bytes of anything it can get the client to send repeatedly, together with attacker-controlled data (think cookies or such, using Javascript cross-origin requests),” he wrote.

The bug was introduced in a 2013 patch for a separate padding oracle flaw, developers said. It inadvertantly caused OpenSSL to stop performing a check that screened out certain oracle flaw attacks, they said.

Are you a security pro? Try our quiz!