The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h.
One of the high-severity flaws, CVE-2016-2107, opens the door to a padding oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI.
“The AES issue is interesting. If you can [man-in-the-middle] then you can inject packets, look at the error codes, and then eventually decrypt traffic,” said Rich Salz, a member of the OpenSSL development team and an engineer at Akamai. “So it’s for national-scale attackers who can force DNS or BGP routes, or small hackers who can hack Wi-Fi in Starbucks.”
OpenSSL said in its advisory that this issue was part of a fix for the Lucky 13 padding attacks of 2013. Lucky 13 is a side-channel crypto attack against TLS, specifically the message authentication code stage of TLS implementations.
“The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes,” OpenSSL said in its advisory. “But it no longer checked that there was enough data to have both the MAC and padding bytes.”
The second high-severity issue is a memory corruption vulnerability in the ASN.1 encoder used in OpenSSL. Only versions prior to April 2015 are affected, OpenSSL said; the flaw was patched April 18, 2015 and released last June.
“The other [high severity] bug was fixed a year ago, but nobody saw the security impact,” Salz said. “If vendors just picked up our fixes, we’d be all set.”
In its advisory, OpenSSL explained that the vulnerability by itself does not pose a security issue, but if combined with a second and unrelated bug in the ASN.1 parser, could result in a buffer overflow.
From the advisory:
“A second, independent bug revealed that the ASN.1 parser (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag as a negative zero value. Large universal tags are not present in any common ASN.1 structures (such as X509) but are accepted as part of ANY structures. Therefore, if an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger an out-of-bounds write. This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations.”
OpenSSL said OpenSSL 1.0.2c and 1.0.1o address this vulnerability.
OpenSSL today also patched two overflow vulnerabilities in the EVP_EncodeUpdate () function. An attacker could input a large amount of data causing a heap corruption in both cases. There are limitations in both cases that minimize the security impact of successful exploits of both situations, OpenSSL said.
The remaining low-severity vulnerabilities are in the ASN.1 BIO and in the X509_NAME_oneline() function in EBCDIC systems, resulting memory exhaustion and arbitrary stack data returned in the buffer, respectively.
OpenSSL also reminds users that security support for version 1.0.1 ends on Dec. 31; support for 0.9.8 and 1.0.0 ended last December.