What is Openssl?

OpenSSL is a an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It ensures secure communications against attackers from Eavesdropping and MITM attacks.

Openssl library includes tools for generating RSA/ECC public and private keys. OpenSSL is written in C, but wrappers are available with variety of computer languages.

What is OCSP?

OCSP is an online certificate status protocol used in obtaining the status of an X509 certificate. Other method that OCSP suppressed in some scenarios is Certificate Revocation List (CRL). It would return the signed response signifying that the certificate status good, unknown or revoked. Would return a error code if unable to process.For more details with OCSP RFC6090 .

 

Denial Of Service CVE-2016-6304 : A malicious client can send an large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then it leads for enormous memory growth in server. This would leads to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the “no-ocsp”option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support.

  • Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
  • Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
  • Fixed in OpenSSL 1.1.0a (Affected 1.1.0)

CVE-2016-6305 (OpenSSL advisory) : OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an empty record. This could be exploited by a malicious peer in a Denial Of Service attack.

  • Fixed in OpenSSL 1.1.0a (Affected 1.1.0)

CVE-2016-6306 (OpenSSL advisory) In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate request and server certificate. As a result the attack can only be performed against a client or a server which enables client authentication. Reported by Shi Lei (Gear Team, Qihoo 360 Inc.).

  • Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
  • Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

Also for support for OpenSSL version 1.0.1 will end 31st December 2016.

Article Source : Openssl

 

 

Gurubaran is a PKI Security Engineer. Certified Ethical Hacker, Penetration Tester, Security blogger, Co-Founder & Author of GBHackers On Security.