The OpenSSL Project yesterday released updates to four versions of its SSL implementation software that will patch 14 vulnerabilities. Two of the vulnerabilities had their severity rated as “high”, with the remainder classified as moderate or low-severity.
OpenSSL is open-source software deployed by thousands of organizations worldwide to encrypt communications online. The Open Source Project has updated the following versions, and US-CERT has advised users to upgrade as soon as possible:
- OpenSSL 1.0.2a for 1.0.2 users
- OpenSSL 1.0.1m for 1.0.1 users
- OpenSSL 1.0.0r for 1.0.0 users
- OpenSSL 0.9.8zf for 0.9.8 users
One of the high-severity issues (CVE-2015-0291) involves OpenSSL 1.0.2. A successful exploit of the vulnerability could allow a denial-of-service (DoS) attack against a targeted server.
“The reporter of CVE-2015-0291 has created a private exploit for this issue but we’re not aware of any public exploitation at this time,” wrote Mark Cox of the OpenSSL Project on its blog. “The number of targets will be limited as OpenSSL 1.0.2 was only released a few months ago,” he added.
The “reporter” in this case was David Ramos of Stanford University, who discovered the vulnerability. Ramos notified OpenSSL of the issue on Feb. 25, 2015.
“Fortunately, we now know that although serious and important to fix, the vulnerability isn’t that serious,” observed Graham Cluley, an independent security researcher based in the UK.
“Rather than mobile apps, hardware devices, web servers’ private keys and users’ session cookies and passwords being at risk, the high severity flaw announced by OpenSSL on Thursday was a bug that could be exploited by attackers to make servers crash, effectively a way of launching a denial-of-service (DoS) attack.”
Cluley advised that the current round of security fixes presents nowhere near the threat posed by last year’s Heartbleed vulnerability. The Heartbleed flaw affected software in open-source web servers like Apache and Nginx, with two-thirds of web sites being hosted on these server types.
Six of the vulnerabilities listed on OpenSSL’s security advisory could be leveraged into DoS attacks. The other vulnerability (CVE-2015-0204) rated as “high” severity emerged from reclassification of a previously disclosed bug reported in January of this year.
“The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL,” noted Brian Krebs, a cybersecurity reporter and investigator. “That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.”