OpenSSL Information Disclosure and Denial of Service
OpenSSL Information Disclosure and Denial of Service Vulnerabilities
Release Date : 2013-02-06
Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch
Software: OpenSSL 0.x
Multiple vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service) of the application using the library.
1) An error when handling message authentication codes (MACs) with a block cipher algorithm in the CBC (Cipher-Block Chaining) mode can be exploited to potentially disclose certain plaintext bits from a block of ciphertext.
2) An error when handling TLS packets using CBC mode can be exploited to cause a crash.
This vulnerability is reported in version 1.0.1c running on the AES-NI platform.
3) An error when handling OCSP response verification can be exploited to render the application unusable.
Vulnerabilities #1 and #3 are reported in versions 1.0.1c, 1.0.0j, and 0.9.8x and prior.
Update to versions 1.0.1d, 1.0.0k, or 0.9.8y.
Provided and/or discovered by:
1) Nadhem AlFardan and Kenny Paterson, Information Security Group at Royal Holloway, University of London
2) The vendor independently credits Adam Langley and Wolfgang Ettlingers
3) Reported by the vendor.
Nadhem AlFardan and Kenny Pater
Was this reply helpful? (0) (0)