Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2014
    S M T W T F S
    « May   Jul »
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June 6th, 2014




    OpenSSL has recently released six security updates addressing vulnerabilities found in OpenSSL. As of this writing, there is no reported exploit leveraging these vulnerabilities in the wild. The security patches cover the following vulnerabilities:

    • SSL/TLS MITM vulnerability (CVE-2014-0224)
    • DTLS recursion flaw (CVE-2014-0221)
    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
    • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
    • Anonymous ECDH denial of service (CVE-2014-3470)

    When SSL/TLS MITM vulnerability is exploited via man-in-the-middle attacks, it can allow remote attacker to change traffic from any vulnerable client and server. Note that both client and server have to be vulnerable for this vulnerability to be exploited successfully, making this less serious than the Heartbleed vulnerability. Another notable bulletin is DTLS invalid fragment vulnerability, which can execute arbitrary code if exploited, thus compromising the security of the system. In addition, the DTLS recursion flaw (CVE-2014-0221) can be abused by remote attackers to cause denial-of-service (DoS) attacks.

    Accordingly, servers with OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable. OpenSSL servers earlier than 1.0.1 are also encouraged to upgrade to the following versions:

    • OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
    • OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
    • OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h

    While these OpenSSL vulnerabilities are different from the Heartbleed bug which affected a number of websites and mobile applications, they also pose security risks to users. As such, web administrators are strongly advised  to patch their systems with the latest security updates from OpenSSL to mitigate the risks of possible threats leveraging these vulnerabilities.

    We will update this entry for any developments on the OpenSSL vulnerabilities.

    Update as of 12:14 PM, June 6, 2014

    Trend Micro Deep Security protects users from these vulnerabilities via the following DPI rules:

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability
    • 1006090 – Detected Fragmented DTLS Request
    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability

    Update as of 5:17 PM, June 6, 2014

    Note that the following DPI rule protects against SSL/TLS MITM vulnerability (CVE-2014-0224):

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability

    On the other hand, DPI rule “1006091 – Detected Fragmented DTLS Message”  addresses the  following vulnerabilities:

    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • DTLS recursion flaw (CVE-2014-0221)

    Users are also protected from vulnerability covered under CVE-2014-3466, which can allow denial of service or execution of arbitrary code when exploited via this DPI rule:

    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability
     
    Posted in Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice