Security Alert (A16-01-09): Multiple Vulnerabilities in OpenSSL


 

Published on: 29 January 2016

  
  

Description:

Multiple vulnerabilities are found in the OpenSSL library which may generate unsafe primes for use in the Diffie-Hellman protocol that may lead to disclosure of enough information for an attacker to recover the private encryption key. Moreover, a malicious client could negotiate SSLv2 ciphers that have been disabled on the server.


Affected Systems:

  • OpenSSL versions 1.0.1q, 1.0.2e and before
  • Any systems such as operating systems, web servers, VPN gateways or appliances using affected OpenSSL libraries

Impact:

Successful exploitation could lead to information disclosure.


Recommendation:

Related vulnerabilities are fixed in OpenSSL 1.0.1r and 1.0.2f. Users with systems such as HTTPS protected websites or SSL-VPN gateways using OpenSSL to encrypt network traffic should check with their product vendors if the vulnerable OpenSSL versions are used and if so, upgrade to the fixed versions or follow the recommendations provided by the product vendors to mitigate the risk.


The OpenSSL Software Foundation announced that support for OpenSSL 1.0.1 will be ceased after 31 Dec 2016, no security updates will be provided after that. Moreover, support for versions 0.9.8 and 1.0.0 was already ended on 31 Dec 2015. Users should consider upgrading to the latest versions, or contact their product vendors for support.

More Information:

https://www.openssl.org/news/secadv/20160128.txt
https://www.us-cert.gov/ncas/current-activity/2016/01/28/OpenSSL-Releases-Security-Advisory
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701



Tag: OpenSSL
Tags