New bugs have been discovered in OpenSSL, a year on from the announcement of the Heartbleed flaw.
Described as a high severity flaw, the advisory said that one “high” severity flaw exists if a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, then a “NULL pointer dereference” will occur. This can be exploited in a denial of service attack against the server.
In the second flaw, which was raised from “low” to “high”, and affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. It was originally classified low as it was originally thought that server RSA export ciphersuite support was rare, however recent studies have shown that RSA export ciphersuites support are far more common.
The advisory said: “A client was only vulnerable to a man in the middle attack against a server which supports an RSA export ciphersuite.”
Trey Ford, global security strategist at Rapid 7, said that the highest severity issue (a crash via NULL pointer dereference) only affects version 1.0.2, yet many users are still on versions 0.9.8 and 1.0.1. “We expect to see corresponding attack code quickly built by those reverse engineering the published patches – steps to push these fixes to internet exposed systems should be prioritized. Export ciphers are overdue for retirement, and organisations using them should looks for ways to upgrade to more stringent encryption standards,” he said.
Andy Manoske, senior product manager at AlienVault, said: “Exploiting Heartbleed yielded extremely sensitive cryptographic information. But utilizing that information to violate a target and steal information required at least some knowledge of cryptography and programming. An exploit to DoS SSL servers could likely be built into a quick attack tool and used by attackers with minimal technical skills.”
Also released were nine patches rated as “moderate”, and two rated as “low”.