OpenSSL Flaws Discovered and Fixed Last Week Affect a Large Number of Products

  • OpenSSL has fixed two out-of-bounds vulnerabilities that affect a large number of products that use the library.
  • Among them is QNAP which makes widely used Network-Attached storage (NAS) appliances.
  • The impact is so far-reaching that most vendors still investigate to determine which products are affected.

QNAP is working on formulating a complete list of products affected by two flaws in OpenSSL that the open-source cryptographic library fixed on August 24, 2021. As it seems, the impact will be significant to the company’s network-attached storage appliances (NAS), so the fixing patches should hit customers soon. Multiple other companies and projects that rely upon the OpenSSL library have already released security bulletins, so this is a widely affecting problem.

The flaws are the following:

The severity of the first flaw is categorized as “High,” while the second one drops to “Moderate.” In the first case, an attacker could create a data pack to be decrypted in the app, using a malicious part after the buffer, resulting in a change of the app behavior and even leading to crashes. In the second vulnerability, a malicious actor could case the direct construction of an ASN1_STRING in the app, followed by a processing step through one of the affected OpenSSL functions, leading to a crash through denial of service.

The OpenSSL versions that are affected by these two bugs are 1.1.1k and below. Those using these versions should upgrade to 1.1.1l or later. OpenSSL 3.0 alpha/beta is also affected, but this is not officially out yet as it’s in the stage of development. The older OpenSSL 1.0.2 isn’t impacted, but this is no longer supported, so downgrading to it isn’t advised anyway. Impact on OpenSSL 1.1.0 hasn’t been confirmed, but that version should be considered risky to use too.

Another company that has responded to these problems already is NetApp, which hasn’t compiled a full list of affected products yet either but is working on it. Synology has also released an advisory to inform its customers that a fixing patch is being developed for eight products. Linux distributions like Ubuntu, Red Hat, and Debian, have also acknowledged the flaws and have urged all software packagers who use OpenSSL as a dependency to upgrade to a new version.

ICC World Test Championship Final 2023 Live Stream: How to Watch Test Cricket Online from Anywhere 
The pinnacle of test cricket is upon us, and the excitement is high ahead of what promises to be a thrilling contest...
How to Watch Avatar: The Way of Water Online from Anywhere
This year, Avatar: The Way Of Water became the third-highest-grossing picture of all time, collecting more than 2 billion dollars since its...
How to Watch It’s Always Sunny in Philadelphia Season 16 Online from Anywhere
It’s Always Sunny in Philadelphia Season 16 is here, and you will find below the premiere date, cast, plot, episode release schedule,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari