Multiple Vulnerabilities in OpenSSL Could Lead to Denial of Service Conditions

ITS Advisory Number: 
2015-029
Date(s) Issued: 
Thursday, March 19, 2015
Subject: 
Multiple Vulnerabilities in OpenSSL Could Lead to Denial of Service Conditions
Overview: 
Multiple vulnerabilities have been discovered in OpenSSL. OpenSSL is an open-source implementation of the SSL protocol used by a number of applications and products. SSL (Secure Sockets Layer) is a protocol that ensures secure communication over the Internet via encryption. Successful exploitation of these vulnerabilities may result in denial of service conditions.
Systems Affected: 
  • OpenSSL 1.0.2
  • OpenSSL 1.0.1
  • OpenSSL 1.0.0
  • OpenSSL 0.9.8
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in OpenSSL. The details of these vulnerabilities are as follows:

  • A Null pointer dereferencing issue may result in denial of service conditions (CVE-2015-0208, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0291).
  • RSA export ciphersuites are prone to a man-in-the-middle (MITM) attack (CVE-2015-0204).
  • A defect in the implementation of "multiblock" may result in denial of service conditions (CVE-2015-0290).
  • A defect in the implementation of DTLSv1 Segmentation fault in DTLSv1_listen changes the ClientHello to act statefull (CVE-2015-0207).
  • ASN1_TYPE_cmp may result in denial of service conditions when comparing ASN.1 boolean types (CVE-2015-0286).
  • Reusing a structure in ASN.1 parsing may result in memory corruption (CVE-2015-0287).
  • An issue in the Base64 decoding may cause memory corruption (CVE-2015-0292).
  • Servers supporting SSLv2 and enable export cipher suites may be susceptible to denial of service conditions (CVE-2015-0293).
  • A server may be susceptible to denial of service conditions when processing DHE ciphersuites (CVE-2015-1787).
  • OpenSSL client may be susceptible to an unseeded PRNG handshake (CVE-2015-0285)
  • Use-after-free following d2i_ECPrivatekey error denial of service conditions or memory corruption (CVE-2015-0209).

Successful exploitation of these vulnerabilities may result in denial of service conditions.

Actions: 

We recommend the following actions be taken:

  • After appropriate testing, apply appropriate updates to vulnerable systems immediately.
    • OpenSSL 1.0.2 users should upgrade to 1.0.2a o
    • OpenSSL 1.0.1 users should upgrade to 1.0.1k
    • OpenSSL 1.0.0 users should upgrade to 1.0.0p
    • OpenSSL 0.9.8 users should upgrade to 0.9.8zd
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources, or suspicious emails from trusted sources.