OpenSSL Just Fixed Two High-Severity Easy-to-Find Flaws

  • OpenSSL has pushed two fixes for an equal number of recently discovered highly critical bugs.
  • The vulnerabilities aren’t affecting every configuration, but one of them is present on the default setting.
  • Everyone is advised to update to 1.1.1k or later unless you’re still using OpenSSL 1.0.2, which isn’t impacted.

OpenSSL has released a security advisory to inform the public about fixing CVE-2021-3450 and CVE-2021-3449. The first is a high-severity CA certificate check bypass that can occur in configurations that use the X509_V_FLAG_X509_STRICT flag. The second could enable a malicious actor to craft and use a special renegotiation ClientHello message from a client, leading to a crash and denial of service.

https://twitter.com/FiloSottile/status/1375088690729517059

According to the details given in the advisory, the versions that are affected by the two flaws are OpenSSL 1.1.1, so everyone is advised to upgrade to 1.1.1k or later. The issues do not impact OpenSSL 1.0.2. OpenSSL 1.1.0 could also be impacted, but it has not been analyzed as it’s not actively supported anymore.

In order to be affected by CVE-2021-3450, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. Thus, not using that special configuration could be a mitigation if updating to a patched version is impossible for any reason.

The renegotiating request looks more troublesome on paper, and it could threaten to take down a mind-boggling number of internet websites through DoS attacks. The particular flaw was found and fixed by Nokia’s researchers Peter Kästle and Samuel Sapalski on March 17, 2021. The prerequisite for vulnerability is to have TLSv1.2 with renegotiation enabled, and this looks bad precisely because this is the default configuration.

OpenSSL is a free (Apache License) software library used by internet servers for HTTPS websites, providing basic cryptographic functions and versatile open-source implementation of the SSL (now deprecated) and TLS secured communications protocols. As such, every vulnerability found in OpenSSL has the potential to affect significant portions of the internet, exactly like we saw with the “Heartbleed” example all the way back in 2014.

The upside in the most recent case is that it looks like the OpenSSL team had pushed the fixes for the two highly critical flaws before any malicious actors had the chance to exploit them, at least in alarming scales.

REVIEW OVERVIEW

Latest

How to Watch Westworld Season 4 Online From Anywhere

The fourth season of your favorite science fiction dystopian TV series is set to premiere soon, and we know you want to...

How to Watch 2022 BET Awards Online From Anywhere

The 2022 BET Awards are here, so be ready to celebrate African American entertainers who have excelled in the field of music,...

How to Watch Jack Osbourne’s Night of Terror: Bigfoot Online From Anywhere

Discovery+ is here with a new 2-hour special featuring Jack Osbourne, and we're looking forward to watching it online. If you're interested...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari