Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
OpenSSL
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Notable vulnerabilities == === Denial of service: ASN.1 parsing === OpenSSL 0.9.6k has a bug where certain [[ASN.1]] sequences triggered a large number of recursions on Windows machines, discovered on November 4, 2003. Windows could not handle large recursions correctly, so OpenSSL would crash as a result. Being able to send arbitrary large numbers of ASN.1 sequences would cause OpenSSL to crash as a result. === OCSP stapling vulnerability === When creating a handshake, the client could send an incorrectly formatted ClientHello message, leading to OpenSSL parsing more than the end of the message. Assigned the identifier {{CVE|2011-0014}} by the CVE project, this affected all OpenSSL versions 0.9.8h to 0.9.8q and OpenSSL 1.0.0 to 1.0.0c. Since the parsing could lead to a read on an incorrect memory address, it was possible for the attacker to cause a [[Denial-of-service attack|DoS]]. It was also possible that some applications expose the contents of parsed [[OCSP]] extensions, leading to an attacker being able to read the contents of memory that came after the ClientHello.<ref>{{cite web|title=OpenSSL Updates Fix Critical Security Vulnerabilities|date=9 August 2014|url=https://blogs.comodo.com/it-security/openssl-updates-fix-critical-security-vulnerabilities/|access-date=25 August 2014|df=mdy-all|archive-date=August 26, 2014|archive-url=https://web.archive.org/web/20140826120554/https://blogs.comodo.com/it-security/openssl-updates-fix-critical-security-vulnerabilities/|url-status=dead}}</ref> === ASN.1 BIO vulnerability === When using Basic Input/Output (BIO)<ref>{{cite web |url=https://tools.cisco.com/security/center/viewAlert.x?alertId=25706 |title=OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability |publisher=Cisco |access-date=May 9, 2016 |archive-date=June 10, 2016 |archive-url=https://web.archive.org/web/20160610123316/https://tools.cisco.com/security/center/viewAlert.x?alertId=25706 |url-status=live}}</ref> or FILE based functions to read untrusted [[Distinguished Encoding Rules|DER]] format data, OpenSSL is vulnerable. This vulnerability was discovered on April 19, 2012, and was assigned the CVE identifier {{CVE|2012-2110}}. While not directly affecting the SSL/TLS code of OpenSSL, any application that was using ASN.1 functions (particularly d2i_X509 and d2i_PKCS12) were also not affected.<ref>{{cite web |url=https://www.openssl.org/news/secadv_20120419.txt |title=ASN1 BIO vulnerability |publisher=OpenSSL |access-date=February 5, 2015 |archive-date=March 2, 2015 |archive-url=https://web.archive.org/web/20150302121643/http://www.openssl.org/news/secadv_20120419.txt |url-status=live}}</ref> === SSL, TLS and DTLS plaintext recovery attack === In handling CBC cipher-suites in SSL, TLS, and DTLS, OpenSSL was found vulnerable to a timing attack during the MAC processing. Nadhem Alfardan and Kenny Paterson discovered the problem, and published their findings<ref>{{cite web|url=http://www.isg.rhul.ac.uk/tls/|title=On the Security of RC4 in TLS|publisher=Royal Holloway Department of Information Security|access-date=April 29, 2014|archive-date=March 15, 2013|archive-url=https://web.archive.org/web/20130315084623/http://www.isg.rhul.ac.uk/tls/|url-status=dead}}</ref> on February 5, 2013. The vulnerability was assigned the CVE identifier {{CVE|2013-0169}}. === Predictable private keys (Debian-specific) === OpenSSL's pseudo-[[random number generator]] acquires entropy using complex programming methods. To keep the [[Valgrind]] analysis tool from issuing associated warnings, a maintainer of the [[Debian]] distribution applied a [[patch (computing)|patch]] to Debian's variant of the OpenSSL suite, which inadvertently broke its random number generator by limiting the overall number of private keys it could generate to 32,768.<ref>{{Cite web |title=research!rsc: Lessons from the Debian/OpenSSL Fiasco |url=http://research.swtch.com/openssl |website=research.swtch.com |access-date=2015-08-12|df=mdy-all}}</ref><ref>{{Cite web |title=SSLkeys |website=Debian Wiki |url=https://wiki.debian.org/SSLkeys |access-date=2015-06-19|df=mdy-all}}</ref> The broken version was included in the Debian release of September 17, 2006 (version 0.9.8c-1), also compromising other Debian-based distributions, for example [[Ubuntu (operating system)|Ubuntu]]. Ready-to-use [[exploit (computer security)|exploits]] are easily available.<ref>{{Cite web |title=Debian OpenSSL – Predictable PRNG Bruteforce SSH Exploit Python |website=Exploits Database |url=https://www.exploit-db.com/exploits/5720/ |access-date=2015-08-12 |date=2008-06-01 |df=mdy-all |archive-date=February 6, 2025 |archive-url=https://web.archive.org/web/20250206223039/https://www.exploit-db.com/exploits/5720 |url-status=live}}</ref> The error was reported by Debian on May 13, 2008. On the Debian 4.0 distribution (etch), these problems were fixed in version 0.9.8c-4etch3, while fixes for the Debian 5.0 distribution (lenny) were provided in version 0.9.8g-9.<ref name="dsa-1571-1">{{cite web |title=DSA-1571-1 openssl – predictable random number generator |url=http://www.debian.org/security/2008/dsa-1571 |publisher=[[Debian]] Project |date=May 13, 2008 |access-date=August 5, 2012 |archive-date=March 9, 2011 |archive-url=https://web.archive.org/web/20110309045023/http://www.debian.org/security/2008/dsa-1571 |url-status=live}}</ref> === {{anchor|Heartbleed bug}}Heartbleed === {{Main|Heartbleed}} [[File:Heartbleed.svg|thumb|A logo representing the Heartbleed bug]] OpenSSL versions 1.0.1 through 1.0.1f have a severe memory handling [[software bug|bug]] in their implementation of the [[Transport Layer Security|TLS]] Heartbeat Extension that could be used to reveal up to 64 [[Kibibyte|KB]] of the application's memory with every [[heartbeat (computing)|heartbeat]]<ref>{{cite web|title=OpenSSL Security Advisory [07 Apr 2014]|url=https://www.openssl.org/news/secadv_20140407.txt|author=OpenSSL.org|access-date=9 April 2014|date=7 April 2014|df=mdy-all|archive-date=April 8, 2014|archive-url=https://web.archive.org/web/20140408195036/https://www.openssl.org/news/secadv_20140407.txt|url-status=dead}}</ref><ref>{{Cite web| last = OpenSSL| title = TLS heartbeat read overrun (CVE-2014-0160)| access-date = 2014-04-08| date = 2014-04-07| url = https://www.openssl.org/news/secadv_20140407.txt| df = mdy-all| archive-date = April 8, 2014| archive-url = https://web.archive.org/web/20140408195036/https://www.openssl.org/news/secadv_20140407.txt| url-status = dead}}</ref> ({{CVE|2014-0160}}). By reading the memory of the web server, attackers could access sensitive data, including the server's [[public-key cryptography|private key]].<ref name="hb">{{Cite web| last = Codenomicon Ltd| title = Heartbleed Bug| access-date = 2014-04-08| date = 2014-04-08| url = http://heartbleed.com/| df = mdy-all| archive-date = April 7, 2014| archive-url = https://web.archive.org/web/20140407203519/http://heartbleed.com/| url-status = live}}</ref> This could allow attackers to decode earlier [[eavesdropping|eavesdropped]] communications if the encryption protocol used does not ensure [[perfect forward secrecy]]. Knowledge of the private key could also allow an attacker to mount a [[man-in-the-middle attack]] against any future communications.{{citation needed|date=April 2019}} The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including [[session cookie]]s and passwords, which might allow attackers to [[Session hijacking|hijack the identity]] of another user of the service.<ref name="ipsec">{{cite web |url=http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html |title=Why Heartbleed is dangerous? Exploiting CVE-2014-0160 |year=2014 |publisher=IPSec.pl |access-date=April 8, 2014 |archive-date=April 8, 2014 |archive-url=https://web.archive.org/web/20140408224556/http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html |url-status=dead}}</ref> At its disclosure on April 7, 2014, around 17% or half a million of the Internet's secure [[web servers]] certified by [[Certificate authority|trusted authorities]] were believed to have been vulnerable to the attack.<ref>{{cite web|last=Mutton|first=Paul|title=Half a million widely trusted websites vulnerable to Heartbleed bug|url=http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html|publisher=Netcraft Ltd.|access-date=8 April 2014|date=8 April 2014|df=mdy-all|archive-date=November 19, 2014|archive-url=https://web.archive.org/web/20141119102520/http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html|url-status=live}}</ref> However, Heartbleed can affect both the server and client. === {{anchor|CVE-2014-0224}}CCS injection vulnerability === The CCS Injection Vulnerability ({{CVE|2014-0224}}) is a security bypass vulnerability that results from a weakness in OpenSSL methods used for keying material.<ref>{{cite web |url=http://www.cyberoam.com/blog/openssl-continues-to-bleed-out-more-flaws-more-critical-vulnerabilities-found/ |title=OpenSSL continues to bleed out more flaws – more critical vulnerabilities found |year=2014 |publisher=Cyberoam Threat Research Labs |access-date=2014-06-13 |archive-url=https://web.archive.org/web/20140619034859/http://www.cyberoam.com/blog/openssl-continues-to-bleed-out-more-flaws-more-critical-vulnerabilities-found/ |archive-date=2014-06-19 |url-status=dead |df=mdy-all}}</ref> This vulnerability can be exploited through the use of a man-in-the-middle attack,<ref>{{cite web |url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 |title=CVE-2014-0224 |year=2014 |publisher=CVE |access-date=June 13, 2014 |archive-date=August 1, 2014 |archive-url=https://web.archive.org/web/20140801203134/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 |url-status=live}}</ref> where an attacker may be able to decrypt and modify traffic in transit. A remote unauthenticated attacker could exploit this vulnerability by using a specially crafted handshake to force the use of weak keying material. Successful exploitation could lead to a security bypass condition where an attacker could gain access to potentially sensitive information. The attack can only be performed between a vulnerable client ''and'' server. OpenSSL clients are vulnerable in all versions of OpenSSL before the versions 0.9.8za, 1.0.0m and 1.0.1h. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.<ref>{{cite web |url=https://www.openssl.org/news/secadv_20140605.txt |title=OpenSSL Security Advisory |date=5 June 2014 |publisher=OpenSSL |df=mdy-all |access-date=June 13, 2014 |archive-date=April 30, 2024 |archive-url=https://web.archive.org/web/20240430142011/https://www.openssl.org/news/secadv_20140605.txt |url-status=dead}}</ref> === {{anchor|CVE-2015-0291}}ClientHello sigalgs DoS === This vulnerability ({{CVE|2015-0291}}) allows anyone to take a certificate, read its contents and modify it accurately to abuse the vulnerability causing a certificate to crash a client or server. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a null-pointer dereference occurs. This can cause a DoS attack against the server. A Stanford Security researcher, David Ramos, had a private exploit and presented it to the OpenSSL team, which then patched the issue. OpenSSL classified the bug as a high-severity issue, noting version 1.0.2 was found vulnerable.<ref>{{cite web |url=http://freedomhacker.net/openssl-patches-severe-denial-of-service-vulnerability-3818/ |title=OpenSSL Patches Severe Denial-of-Service Vulnerability |date=20 March 2015 |publisher=Brandon Stosh |df=mdy-all |access-date=March 20, 2015 |archive-date=April 2, 2015 |archive-url=https://web.archive.org/web/20150402102240/http://freedomhacker.net/openssl-patches-severe-denial-of-service-vulnerability-3818/ |url-status=live}}</ref> === {{anchor|CVE-2016-0701}}Key recovery attack on Diffie–Hellman small subgroups === This vulnerability ({{CVE|2016-0701}}) allows, when some particular circumstances are met, to recover the OpenSSL server's private Diffie–Hellman key. An Adobe System Security researcher, Antonio Sanso, privately reported the vulnerability. OpenSSL classified the bug as a high-severity issue, noting only version 1.0.2 was found vulnerable.<ref>{{cite web |url=https://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/ |title=High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic |date=28 January 2016 |work=Ars Technica |first=Dan |last=Goodlin |df=mdy-all |access-date=June 14, 2017 |archive-date=November 20, 2016 |archive-url=https://web.archive.org/web/20161120091808/http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/ |url-status=live}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)