OpenSSL Flaws Discovered and Fixed Last Week Affect a Large Number of Products

  • OpenSSL has fixed two out-of-bounds vulnerabilities that affect a large number of products that use the library.
  • Among them is QNAP which makes widely used Network-Attached storage (NAS) appliances.
  • The impact is so far-reaching that most vendors still investigate to determine which products are affected.

QNAP is working on formulating a complete list of products affected by two flaws in OpenSSL that the open-source cryptographic library fixed on August 24, 2021. As it seems, the impact will be significant to the company’s network-attached storage appliances (NAS), so the fixing patches should hit customers soon. Multiple other companies and projects that rely upon the OpenSSL library have already released security bulletins, so this is a widely affecting problem.

The flaws are the following:

The severity of the first flaw is categorized as “High,” while the second one drops to “Moderate.” In the first case, an attacker could create a data pack to be decrypted in the app, using a malicious part after the buffer, resulting in a change of the app behavior and even leading to crashes. In the second vulnerability, a malicious actor could case the direct construction of an ASN1_STRING in the app, followed by a processing step through one of the affected OpenSSL functions, leading to a crash through denial of service.

The OpenSSL versions that are affected by these two bugs are 1.1.1k and below. Those using these versions should upgrade to 1.1.1l or later. OpenSSL 3.0 alpha/beta is also affected, but this is not officially out yet as it’s in the stage of development. The older OpenSSL 1.0.2 isn’t impacted, but this is no longer supported, so downgrading to it isn’t advised anyway. Impact on OpenSSL 1.1.0 hasn’t been confirmed, but that version should be considered risky to use too.

Another company that has responded to these problems already is NetApp, which hasn’t compiled a full list of affected products yet either but is working on it. Synology has also released an advisory to inform its customers that a fixing patch is being developed for eight products. Linux distributions like Ubuntu, Red Hat, and Debian, have also acknowledged the flaws and have urged all software packagers who use OpenSSL as a dependency to upgrade to a new version.

REVIEW OVERVIEW

Latest

Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari