A new version of the OpenSSL package has been released, fixing six vulnerabilities, including a plaintext recovery attack on the DTLS implementation. There are two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems.
The most problematic of the vulnerabilities fixed in the new version is the one that enables the plaintext recovery attack, which was discovered by a pair of security researchers who found a way to extend the CBC padding oracle attack. The attack enables someone to exploit the problem with OpenSSL’s DTLS implementation to recover the plaintext version of an encrypted message.
“Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing,” the OpenSSL adivsory says.
Among the other vulnerabilities fixed in version 1.0.0f is a problem with the way that the application handles padding for SSL 3.0 records. In those records, the application would not clear the bytes that it uses as padding, meaning that some amount of potentially sensitive data from previous transactions could be sent as part of a subsequent operation.
“OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes: those that call SSL_CTX_new with SSLv3_{server|client}_method or SSLv23_{server|client}_method. It does not affect TLS. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory,” the advisory says.
Versions 1.0.0f and 0.9.8s also include updates for several other vulnerabilities, namely a condition that allows an attacker to cause a denial-of-service on a server that supports server-gated cryptography handshake restarts; an assertion failure caused by malformed RFC 3779 data; and a D0S condition that can be triggered by sending invalid parameters for the GOST hash function.
Users of previous versions should upgrade to OpenSSL 1.0.0f or 0.9.8s.