OpenSSL has recently released six security updates addressing vulnerabilities found in OpenSSL. As of this writing, there is no reported exploit leveraging these vulnerabilities in the wild. The security patches cover the following vulnerabilities:
- SSL/TLS MITM vulnerability (CVE-2014-0224)
- DTLS recursion flaw (CVE-2014-0221)
- DTLS invalid fragment vulnerability (CVE-2014-0195)
- SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
- SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
- Anonymous ECDH denial of service (CVE-2014-3470)
When SSL/TLS MITM vulnerability is exploited via man-in-the-middle attacks, it can allow remote attacker to change traffic from any vulnerable client and server. Note that both client and server have to be vulnerable for this vulnerability to be exploited successfully, making this less serious than the Heartbleed vulnerability. Another notable bulletin is DTLS invalid fragment vulnerability, which can execute arbitrary code if exploited, thus compromising the security of the system. In addition, the DTLS recursion flaw (CVE-2014-0221) can be abused by remote attackers to cause denial-of-service (DoS) attacks.
Accordingly, servers with OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable. OpenSSL servers earlier than 1.0.1 are also encouraged to upgrade to the following versions:
- OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
- OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
- OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h
While these OpenSSL vulnerabilities are different from the Heartbleed bug which affected a number of websites and mobile applications, they also pose security risks to users. As such, web administrators are strongly advised to patch their systems with the latest security updates from OpenSSL to mitigate the risks of possible threats leveraging these vulnerabilities.
We will update this entry for any developments on the OpenSSL vulnerabilities.
Update as of 12:14 PM, June 6, 2014
Trend Micro Deep Security protects users from these vulnerabilities via the following DPI rules:
- 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability
- 1006090 – Detected Fragmented DTLS Request
- 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability
Update as of 5:17 PM, June 6, 2014
Note that the following DPI rule protects against SSL/TLS MITM vulnerability (CVE-2014-0224):
- 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability
On the other hand, DPI rule “1006091 – Detected Fragmented DTLS Message” addresses the following vulnerabilities:
- DTLS invalid fragment vulnerability (CVE-2014-0195)
- DTLS recursion flaw (CVE-2014-0221)
Users are also protected from vulnerability covered under CVE-2014-3466, which can allow denial of service or execution of arbitrary code when exploited via this DPI rule:
- 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability
