OpenSSL Flaw Can Crash Remote Machines

There is a vulnerability in some versions of the OpenSSL software that can enable an attacker to crash remote clients or servers using a specially constructed record.

There is a vulnerability in some versions of the OpenSSL software that can enable an attacker to crash remote clients or servers using a specially constructed record.

The flaw gives an attacker the ability to use a single TLS record to take out remote machines that are running a vulnerable version of the OpenSSL software. The OpenSSL team has released a patch for the vulnerability, which affects versions 0.9.8f-0.9.8m.

In TLS connections, certain incorrectly formatted records can cause an OpenSSL
client or server to crash due to a read attempt at NULL.

Affected versions depend on the C compiler used with OpenSSL:

– If ‘short’ is a 16-bit integer, this issue applies only to OpenSSL 0.9.8m.
– Otherwise, this issue applies to OpenSSL 0.9.8f through 0.9.8m.

Users of the vulnerable versions should upgrade immediately.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.