Description
OpenSSL has published a security update for its recently discovered vulnerabilities in its software which can be used to carry out denial-of-service (DoS) attacks on 25th March, 2021. It is recommended that you take the necessary precautions by ensuring your products are always updated.
How it works
Two vulnerabilities, CVE-2021-3449 and CVE-2021-3450, were discovered within the OpenSSl software. CVE-2021-3449 concerns a potential DoS risk arising due to NULL pointer dereferencing that can cause an OpenSSL TLS server to crash if in the course of renegotiation, the client transmits a malicious ClientHello message during the handshake between the server and a user.
CVE-2021-3450, relates to an X509_V_FLAG_X509_STRICT flag that enables additional security checks of certificates present in a certificate chain. While this flag is not set by default, an error in the implementation meant that OpenSSL failed to check that “non-CA certificates must not be able to issue other certificates,” resulting in a certificate bypass.
Solution
OpenSSL has addressed these two vulnerabilities with OpenSSL version 1.1.1k update
For more information on this OpenSSL update you can follow this URL:
https://www.openssl.org/news/secadv/20210325.txt
The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.
PDF Download: OpenSSL Releases Patches for 2 High-Severity Security Vulnerabilities.pdf
References