Six security patches – two of them high severity – have been released today for OpenSSL 1.0.1 and 1.0.2.
CVE-2016-2108 is a curious beast; a hybrid of two low-risk bugs that can be fused into a serious problem. The first is a seemingly innocuous issue with the ASN.1 parser whereby if a zero is represented as a negative value, a buffer underflow is triggered and performs an out-of-bounds write – but since that’s not normal behavior for the ASN.1 parser, it wasn’t considered that serious.
Then on March 1 a scan of the code using libFuzzer found that the ANS.1 parser could also misinterpret a large universal tag as a “negative zero”. At the end of the month David Benjamin at Google put two and two together and the combined problem is patched in the new release. In some situations, the two-headed flaw can be exploited to crash software or potentially execute malicious code remotely.
CVE-2016-2107 is the other high-severity flaw and fixes an oracle padding issue that would allow man-in-the-middle attackers to decrypt data scrambled by the AES-CBC cipher if the server support AES-NI.
The OpenSSL team introduced the bug inadvertently as part of the Lucky 13 patch in February 2013. British researchers noted that by corrupting the plaintext padding around an encrypted message and measuring how the server reacted you could – over a few hours – perform a man-in-the-middle attack to steal login passwords encrypted over HTTPS.
"The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes," the advisory reads. "But it no longer checked that there was enough data to have both the MAC and padding bytes."
CVE-2016-2105 and CVE-2016-2106 both cover flaws in the EVP_EncodeUpdate() function used to used for Base64 encoding of binary data, which can be blindsided by inputting large amounts of data, overflowing a length check, and triggering heap corruption. In both cases the chances of successful exploitation to execute malicious code are small, the bulletin advised.
CVE-2016-2109 covers a minor flaw in the ASN.1 BIO that could be exploited to churn through memory at a high rate and potentially exhaust it and crash the target system.
CVE-2016-2176 is the final low severity flaw, which can overload the X509_NAME_oneline() function in EBCDIC systems, causing it to send back some data to the attacker, but not enough to be useful.
As with all OpenSSL security updates it’s time to get patching quickly, since the protocol underlies so much of what we do online, and exploit writers are quick to build code to take advantage of serious issues. ®