Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSL Vulnerabilities

Published: 2003-10-02
Last Updated: 2003-10-02 21:55:17 UTC
by Handlers (Version: 1)
0 comment(s)
Summary:
On September 30th, the OpenSSL group released a security advisory about vulnerabilities in the SSL code, that may cause a DoS (Denial of Service) and, possibly, remote compromise.

The vulnerabilities includes a flaw in the OpenSSL implementation of the Abstract Syntax Notation One (ASN.1) data format and also an unsual, but possible, exploitation of the code that verifies the certificates, that may result a DoS attack.

All versions up to and including 0.9.6j and 0.9.7b are affected. Also, all versions of SSLeay are known to be affected, as well.

Solution:
Upgrade to the recent released versions: 0.9.6k or 0.9.7c. However, the openssl libraries can be loaded dynamically or they may be compiled statically into the respective binary. For dynamically loaded libraries, the openssl library update is sufficient. Statically linked programs have to be recompiled. To check which libraries are loadded dynamically, use the 'ldd' command.
References:
OpenSSL Security Advisory:

http://www.openssl.org/news/secadv_20030930.txt

Fixed OpenSSL Versions:

- Version: 0.9.6k: http://www.openssl.org/source/openssl-0.9.6k.tar.gz

- Version: 0.9.7c: http://www.openssl.org/source/openssl-0.9.7c.tar.gz

The major linux distributions are announcing new OpenSSL packages to correct the issues.

__________________________________

Send comments to isc _AT_ sans.org
Keywords:
0 comment(s)
Diary Archives