Well, there’s a relief.
When on Monday a brief note appeared on a mailing list announcing that a “high severity” bug in OpenSSL was due to be revealed in a matter of days, I can’t have been the only one dreading that we could be facing another Heartbleed situation.
Here is how that initial announcement was worded:
Fortunately, we now know that although serious and important to fix, the vulnerability isn’t that serious.
Rather than mobile apps, hardware devices, web servers’ private keys and users’ session cookies and passwords being at risk, the high severity flaw announced by OpenSSL on Thursday was a bug that could be exploited by attackers to make servers crash, effectively a way of launching a denial-of-service (DoS) attack.
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.
This issue affects OpenSSL version: 1.0.2
OpenSSL 1.0.2 users should upgrade to 1.0.2a.
This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
A blog post by OpenSSL Project member Mark Cox reveals that there have been no evidence that the bug has been exploited publicly. Furthermore, because the flaw only affects version 1.0.2 of OpenSSL (which was released just a couple of months ago), it’s likely that most servers aren’t using it yet.
Yes, you heard right folks. Sometimes it’s a good thing that people have better things to do than upgrade their software…
In retrospect, maybe it would have been better if that initial announcement had clarified that the “high severity” threat was nothing like the Heartbleed bug that shook companies worldwide last year. Would it have been so difficult to reassure users a little about what type of flaw was scheduled to be fixed?
Of course, no-one should be complacent. The fact that it has now been publicly announced that there is a denial-of-service vulnerability in OpenSSL 1.0.2 might focus attackers’ minds on seeing if they can exploit it for themselves.
Stay ahead of the game by ensuring that you are updating OpenSSL to one of the latest versions to protect against the denial-of-service flaw and other vulnerabilities – 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
It’s just been a few weeks since it was revealed that millions of dollars are being invested in the Linux Foundation’s Core Infrastructure Initiative (CII) to harden open source technologies.
With the likes of Amazon, Google, IBM, Facebook and many others reaching into their pockets to fund an indepth audit of OpenSSL’s code, we shouldn’t be at all surprised if there will be more security updates coming in the near future.