OpenSSL founder recently batch processing flaw in their coding library includes a serious flaw could be exploited in a denial of service attack (DOS).
OpenSSL is an open source library provides encryption for Internet connections through the Secure Sockets Layer (SSL) or Transport Layer Security (TLS). The vulnerability exists in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in version 1.1.0a, 1.0.2i and 1.0.1u
Particularly vulnerability CVE-2016-6304 grave can be exploited by sending a large OCSP Status Request to the server in the connection process, leading to memory exhaustion to denial-of-service attack.
What is OCSP protocol?
OCSP (Online Certificate Status Protocol), which is supported by most web browsers, perform a verification protocol and recovery time tracking of the digital certificate of the website. Divided into two parts OCSP client and server. When an application or a web browser SSL certificate authentication, the client sends a request to share an online feedback via the HTTP protocol, then the result returned is the status of the certificates – available or not .
Hackers can use TLS extensions “TLSEXT_TYPE_status_request” packet identifier makes continuous OCSP server call, causing memory continued to increase without limits.
HOW TO HALT OFFENSIVE
Administrators can minimize the damage by using the command ‘no-OCSP’. Additionally, the server uses the previous version of OpenSSL 1.0.1g not affected because that is configured by default.
OpenSSL team also handled 12 serious vulnerabilities that low level, but most of them do not affect version 1.1.0 branch
What is remarkable is the OpenSSL Project stops support OpenSSL version 1.0.1 on 31/12/2016, so users will not receive any updates 2017. Users are advised to upgrade to version the latest as soon as possible.
Lượt xem (41)