CERT Airs Serious Flaws in OpenSSL Protocol

Security experts have detected four serious vulnerabilities in OpenSSL, an open source implementation of the Secure
Sockets Layer (SSL v2/v3) and its successor, Transport Layer Security (TLS v1), according to the Carnegie Mellon
Software Engineering Institute (CERT).

The flaws, commonly known as buffer overflows, could be used by a malicious perpetrator to execute code on a system, or simply to
inflict denial-of-service attacks. Versions OpenSSL that CERT considers susceptible to a breach include
OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2, as well as OpenSSL pre-release 0.9.7-beta2 and prior with
Kerberos-enabled SSLeay library.

SSL and TLS protocols are used to provide a secure connection between a client and a server for higher level protocols,
such as HTTP. Developed by Netscape, SSL gained the support of Microsoft and other Internet client/server developers and became the
de facto standard until evolving into TLS. OpenSSL is an open-source derivative of SSL and TLS. OpenSSL stands apart from the other
two in that it also functions as a cryptography library.

The vulnerabilities were enough to make one security company issue a cautionary public statement:

“The wide proliferation of servers that utilize SSL to protect encrypted sessions, may make these vulnerabilities significant,” said Bruce Murphy, CEO of Vigilinx. “At this point, we are not aware of any damage that has been inflicted due to this vulnerability, but we believe that the potential for damage is high and a proactive response is warranted.”

The flaws include:

• VU#102795 — OpenSSL servers contain a buffer overflow during the SSLv2 handshake process. This can be exploited by a client
  using a malformed key during the handshake process with an SSL server connection
• VU#258555 — OpenSSL clients contain a buffer overflow during the SSLv3 handshake process. A malicious server can exploit this
  by sending a large session ID to the client during the handshake process.
• VU#561275 — OpenSSL servers with Kerberos enabled contain an exploitable buffer overflow during the SSLv3 handshake
  process. Users may exploit this if a malicious client sends a malformed key during the SSLv3 handshake process with the server
• VU#308891 — OpenSSL contains multiple buffers overflows in buffers that are used to hold ASCII representations of integers

CERT Tuesday also warned of holes involving malformed ASN.1 encodings in OpenSSL. Those affected include SSL or TLS
applications, as well as S/MIME, PKCS#7, and certificate creation routines. Wit this flaw, the ASN.1 library has various encoding
errors that allow malformed certificate encodings to be parsed incorrectly, leaving it open to denial-of-serviceissues.

CERT recommends that those affected by the flaws upgrade to version 0.9.6e of OpenSSL. Patches for the flaw are available from OpenSSL.org are available: For the OpenSSL 0.9.6d patch go here.

Sites running OpenSSL pre-release version 0.9.7-beta2 may wish to upgrade to 0.9.7-beta3. Combined patches for OpenSSL 0.9.7 beta 2
may be found here.

After either applying the patches above or upgrading to 0.9.6e, CERT advises users to recompile all applications using OpenSSL to
support SSL or TLS services, and restart services or systems to punt vulnerable code.

CERT was made aware of the holes by: VU#102795, discovered by A.L. Digital Ltd and John McDonald of Neohapsis; VU#258555, VU#561275,
VU#308891, discovered by A.L. Digital Ltd; and VU#748355, discovered by Adi Stav and James Yonan independently.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020