OpenSSL Issues Updates to Address Two Critical Security Vulnerabilities

On March 26, 2021, OpenSSL maintainers released fixes for two high-severity security flaws that could lead to denial-of-service (DoS) attacks and the circumvention of certificate verification. Identified as CVE-2021-3449 and CVE-2021-3450, these vulnerabilities have been patched in the latest update (version OpenSSL 1.1.1k), made available on Thursday. CVE-2021-3449 is applicable to all OpenSSL 1.1.1 versions, while CVE-2021-3450 affects versions 1.1.1h and later. OpenSSL provides cryptographic functions that support the Transport Layer Security protocol, aiding in the secure transmission of communication over networks. According to an advisory from OpenSSL, CVE-2021-3449 poses a potential DoS risk linked to NULL pointer dereferencing, which can result in an OpenSSL TLS server crash if a client sends a malicious “ClientHello” message during the handshake process.

OpenSSL Addresses Two High-Severity Vulnerabilities

March 26, 2021

OpenSSL has announced the release of critical patches aimed at addressing two high-severity vulnerabilities that pose a significant risk to its widely used cryptographic library. These flaws, identified as CVE-2021-3449 and CVE-2021-3450, could potentially enable attackers to execute denial-of-service (DoS) attacks and circumvent certificate verification, raising serious concerns for organizations relying on this framework for secure communications.

The vulnerabilities have been mitigated in the latest update, OpenSSL version 1.1.1k, which was made available on Thursday. CVE-2021-3449 affects all versions of OpenSSL 1.1.1, while CVE-2021-3450 is specific to OpenSSL versions 1.1.1h and later. Given the prevalence of OpenSSL in securing data transmitted over networks, these flaws highlight vulnerabilities affecting a wide array of systems.

According to the OpenSSL advisory, CVE-2021-3449 relates to a potential DoS issue stemming from NULL pointer dereferencing. This bug can trigger a crash in an OpenSSL TLS server during the renegotiation phase of a connection, particularly when a malicious client sends a crafted “ClientHello” message during the handshake process. Such an attack could disrupt services and cause significant operational impacts for impacted entities.

The commercial implications of these vulnerabilities are considerable, particularly for businesses that process sensitive information or rely on secure communications. Organizations must prioritize upgrading to the patched version of OpenSSL to safeguard against potential exploitation. Failure to implement these fixes could leave systems vulnerable to attacks that not only compromise security but also impact customer trust and business reputation.

In identifying the possible tactics corresponding to the MITRE ATT&CK framework, adversaries could exploit the vulnerabilities as part of initial access strategies or leverage them to maintain persistence within affected systems. The potential for privilege escalation through such vulnerabilities emphasizes the importance of immediate remediation and routine updates as part of broader cybersecurity hygiene practices.

As these vulnerabilities serve as a reminder of the ongoing security challenges faced across the technology landscape, business leaders must remain vigilant. Engaging in regular assessments of their cryptographic dependencies and ensuring timely reports on security updates from platforms like OpenSSL should serve as central components of their cybersecurity strategy.

In summary, OpenSSL’s timely response to these vulnerabilities reaffirms the importance of vigilance in cybersecurity. Business owners are urged to stay informed about such developments and take necessary actions to mitigate risks associated with their operational frameworks.

Source link

Related Posts

New Vulnerabilities May Allow Hackers to Bypass Spectre Mitigations on Linux

Cybersecurity researchers have recently unveiled two critical vulnerabilities in Linux-based systems. If exploited, these flaws could enable attackers to bypass mitigations for speculative execution attacks like Spectre and access sensitive kernel memory. Identified by Piotr Krysiuk from Symantec’s Threat Hunter team, the vulnerabilities are designated as CVE-2020-27170 and CVE-2020-27171, both with a CVSS score of 5.5. They affect all Linux kernels released before version 5.11.8. Security patches were made available on March 20, with various distributions, including Ubuntu, Debian, and Red Hat, implementing fixes. CVE-2020-27170 can disclose content from any kernel memory location, while CVE-2020-27171 enables data retrieval from a 4GB segment of kernel memory. First reported in January 2018, the Spectre and Meltdown vulnerabilities exploit weaknesses in modern CPUs to leak sensitive data.

NSA Identifies New Vulnerabilities in Microsoft Exchange Servers

April 14, 2021

In its April update, Microsoft addressed a total of 114 security vulnerabilities, including one actively exploited zero-day flaw and four remote code execution issues within Exchange Server. Among these vulnerabilities, 19 are classified as Critical, 88 as Important, and one as Moderate. Notably, CVE-2021-28310 is a privilege escalation vulnerability within Win32k, currently under active exploitation, allowing attackers to execute malicious code and gain elevated privileges on affected systems. Cybersecurity firm Kaspersky, which reported the flaw to Microsoft in February, connected the zero-day exploit to the Bitter APT group, known for utilizing a similar vulnerability (CVE-2021-1732) in attacks last year. “This is an escalation of privilege (EoP) exploit likely used in conjunction with other browser exploits to bypass sandboxes or obtain system privileges for further access,” explained Kaspersky researcher Boris Larin.

Urgent: Update Your Chrome Browser Immediately to Fix Recently Discovered Vulnerability

Google has released a critical update for the Chrome web browser across Windows, Mac, and Linux, addressing seven security issues, including one actively exploited flaw. Identified as CVE-2021-21224, this vulnerability arises from a type confusion problem in the V8 JavaScript engine, reported by security researcher Jose Martinez on April 5. Security expert Lei Cao explains that the bug occurs during integer type conversion, leading to an out-of-bounds condition that could allow arbitrary memory read/write access. “Google is aware of reports indicating that exploits for CVE-2021-21224 are in the wild,” stated Chrome’s Technical Program Manager, Srinivas Sista, in a recent blog post. This update follows the release of proof-of-concept code by a researcher named “frust” on April 14, highlighting the urgency of addressing this issue.

F5 BIG-IP Exposed to Kerberos KDC Spoofing Vulnerability

On April 28, 2021, cybersecurity researchers revealed a significant bypass vulnerability (CVE-2021-23008) affecting the Kerberos Key Distribution Center (KDC) security feature in F5 BIG-IP application delivery services. According to Silverfort researchers Yaron Kassner and Rotem Zach, the KDC Spoofing vulnerability enables attackers to circumvent Kerberos authentication to the Big-IP Access Policy Manager (APM), allowing unauthorized access to sensitive resources and, in some instances, the Big-IP admin console. Following this disclosure, F5 Networks issued patches to rectify the vulnerability (CVE-2021-23008, CVSS score 8.1), which are available in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A similar patch for version 16.x is anticipated in the future. Customers using version 16.x are advised to consult the security advisory for exposure assessment and mitigation details.