OpenSSL needs to be patched again.
The open source project team said Thursday that version 1.0.2 of its toolkit for implementing SSL/TLS protocol has a serious bug in it that could lead to a denial of service attack. OpenSSL users should upgrade to version 1.0.2a as soon as possible.
In a security advisory the team said that if a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.
Also on Thursday the PCI Security Standards Council was notified by a security researcher of a cross-site scripting vulnerability on pcisecuritystandards.org., a problem that could have been embarassing to an organization focused on payment security “We identified a minor vulnerability in the public documents library on the PCI SSC website that was addressed within minutes,” council communications manager Laura Johnson acknowledged in an email to IT World Canada. “No data of any kind was at risk.”
This OpenSLL issue was was reported Feb. 26 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
The version 1.0.2a upgrade also fixes other problems. OpenSSL 1.0.2 introduced the “multiblock” performance improvement for 64 bit x86 architecture platforms that support AES NI instructions. According to the security notice a defect in the implementation of “multiblock” can cause OpenSSL’s internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack.
The upgrade also fixes a problem that could crash certificate verification operations, and one that could cause memory corruption.