OpenSSL Just Fixed Two High-Severity Easy-to-Find Flaws

  • OpenSSL has pushed two fixes for an equal number of recently discovered highly critical bugs.
  • The vulnerabilities aren’t affecting every configuration, but one of them is present on the default setting.
  • Everyone is advised to update to 1.1.1k or later unless you’re still using OpenSSL 1.0.2, which isn’t impacted.

OpenSSL has released a security advisory to inform the public about fixing CVE-2021-3450 and CVE-2021-3449. The first is a high-severity CA certificate check bypass that can occur in configurations that use the X509_V_FLAG_X509_STRICT flag. The second could enable a malicious actor to craft and use a special renegotiation ClientHello message from a client, leading to a crash and denial of service.

https://twitter.com/FiloSottile/status/1375088690729517059

According to the details given in the advisory, the versions that are affected by the two flaws are OpenSSL 1.1.1, so everyone is advised to upgrade to 1.1.1k or later. The issues do not impact OpenSSL 1.0.2. OpenSSL 1.1.0 could also be impacted, but it has not been analyzed as it’s not actively supported anymore.

In order to be affected by CVE-2021-3450, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. Thus, not using that special configuration could be a mitigation if updating to a patched version is impossible for any reason.

The renegotiating request looks more troublesome on paper, and it could threaten to take down a mind-boggling number of internet websites through DoS attacks. The particular flaw was found and fixed by Nokia’s researchers Peter Kästle and Samuel Sapalski on March 17, 2021. The prerequisite for vulnerability is to have TLSv1.2 with renegotiation enabled, and this looks bad precisely because this is the default configuration.

OpenSSL is a free (Apache License) software library used by internet servers for HTTPS websites, providing basic cryptographic functions and versatile open-source implementation of the SSL (now deprecated) and TLS secured communications protocols. As such, every vulnerability found in OpenSSL has the potential to affect significant portions of the internet, exactly like we saw with the “Heartbleed” example all the way back in 2014.

The upside in the most recent case is that it looks like the OpenSSL team had pushed the fixes for the two highly critical flaws before any malicious actors had the chance to exploit them, at least in alarming scales.

REVIEW OVERVIEW

Latest

How to Watch Golden State Warriors vs. Phoenix Suns: Live Stream, Start Time, TV Channel, Odds, Predictions

Two of the best teams in the NBA will battle it out on Tuesday as the Western Conference heats up with this...

How to Watch New York Knicks vs. Brooklyn Nets: Live Stream, Start Time, TV Channel, Odds, Predictions

Two New York based teams face off in this thrilling NBA derby on Tuesday evening, as it is the New York Knicks...

How to Watch Denver Nuggets vs. Miami Heat: Live Stream, Start Time, TV Channel, Odds, Predictions

Another blockbuster NBA clash awaits us on Monday night as the Miami Heat and the Denver Nuggets collide at the FTX Arena....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari