CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in OpenSSL Could Lead to Denial of Service Conditions

Multiple Vulnerabilities in OpenSSL Could Lead to Denial of Service Conditions

MS-ISAC ADVISORY NUMBER:

2015-030

DATE(S) ISSUED:

03/18/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in OpenSSL. OpenSSL is an open-source implementation of the SSL protocol used by a number of applications and products. SSL (Secure Sockets Layer) is a protocol that ensures secure communication over the Internet via encryption. Successful exploitation of these vulnerabilities may result in denial of service conditions.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • OpenSSL 1.0.2 users should upgrade to 1.0.2a.
  • OpenSSL 1.0.1 users should upgrade to 1.0.1k.
  • OpenSSL 1.0.0 users should upgrade to 1.0.0p.
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in OpenSSL. The details of these vulnerabilities are as follows:

A Null pointer dereferencing issue may result in denial of service conditions (CVE-2015-0208, CVE-2015-0288,CVE-2015-0289, CVE-2015-0291).
RSA export ciphersuites are prone to a man-in-the-middle (MITM) attack (CVE-2015-0204).
A defect in the implementation of "multiblock" may result in denial of service conditions (CVE-2015-0290).
A defect in the implementation of DTLSv1 Segmentation fault in DTLSv1_listen changes the ClientHello to act statefull (CVE-2015-0207).
ASN1_TYPE_cmp may result in denial of service conditions when comparing ASN.1 boolean types (CVE-2015-0286).
Reusing a structure in ASN.1 parsing may result in memory corruption (CVE-2015-0287).
An issue in the Base64 decoding may cause memory corruption (CVE-2015-0292).
Servers supporting SSLv2 and enable export cipher suites may be susceptible to denial of service conditions (CVE-2015-0293).
A server may be susceptible to denial of service conditions when processing DHE ciphersuites (CVE-2015-1787).
OpenSSL client may be susceptible to an unseeded PRNG handshake (CVE-2015-0285)
Use-after-free following d2i_ECPrivatekey error denial of service conditions or memory corruption (CVE-2015-0209).
Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.

RECOMENDATIONS:

We recommend the following actions be taken:

After appropriate testing, apply appropriate updates to vulnerable systems immediately.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories