OpenSSL swats a dozen bugs, one notable nasty

Denial of service dross dead.

Got Tips? 4 Reg comments

A dozen flaws have been patched in OpenSSL, including one high severity hole that allows denial of service attacks.

The OpenSSL Project pushed patches in versions 1.1.0a, 1.0.2i and 1.0.1u, with most of the flaws flagged as low severity risks.

The nastiest vulnerability (CVE-2016-6304) results when attackers issue a massive OCSP status request extension which exhausts memory on servers in default configuration. Researcher Shi Lei of vulnerability blitzkrieg house Qihoo 360 spotted that one.

Admins can mitigate damage by running no-ocsp or by running older versions of OpenSSL below 1.0.1g.

Another moderate severity denial of service flaw (CVE-2016-6305) is fixed in the patch run which affects 1.0 of OpenSSL.

The OpenSSL project nixed risky ciphers in version 1.1 to squash the so-called Sweet32 exploit which is a birthday attack against 64-bit ciphers like Blowfish and Triple DES.

Cisco said it was difficult to exploit.

“For a successful attack, a large amount of data has to be sent one-way during the session, and the session has to be encrypted using the same key," Borg security engineers said.

"For 64-bit ciphers, it would take about 32GB of data in order to have a 50 percent probability of collision in any of the cipher blocks”. ®

Sponsored: Webcast: Discover and secure all of your attack surface


Keep Reading


Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

Unauthorised users able to perform 'arbitrary code execution'

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned

Handy FireEye tool roots out indicators of compromise
Citrix Silicon Valley HQ building

Good: IT admins scrambled to patch 80 per cent of public-facing Citrix boxes to close nightmare hijack hole

Bad: The other 20 per cent are still wide open. Also bad: Some of those patched machines may have been hacked

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind

Congratulations, you've won a secret backdoor

Citrix goes up the down escalator and doesn't just issue guidance – it's increased 2020 targets

We were made for these times, says remote app-slinger, but we’re staying off planes
A close-up of the Windows key on a PC keyboard

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Vid Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder

If you haven't shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available

Roundup Plus: TikTok clocked, Honey in a sticky situation, Arm's PAN mechanisms sidestepped

Biting the hand that feeds IT © 1998–2020