View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

No Heartbleed, but OpenSSL warns of ‘high severity’ flaw

Users urged to upgrade.

By Joao Lima

Panic came to OpenSSL offices in Adamstown, US this Thursday with the release of a security warning containing 12 advisories alerting users to urgently upgrade to OpenSSL 1.0.2.a.

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithm extension a NULL pointer dereference will occur.

This can be exploited in a DoS attack against the server. The original warning was categorised as "low", with versions 0.9.8, 1.0.0, and 1.0.1 being classified as "high risk".

The latest release exposes "high severity" defects known as CVE-2015-0291 and CVE-2015-0204.

The CVE-2015-0204 is known as the FREAK attack, which allows a weaker set of encryption keys to be substituted for current, stronger keys.

These two high-severity bugs joins a list which includes Heartbleed, a serious vulnerability in the popular OpenSSL cryptographic software library.

The other advisories covered bugs which were rated as "moderate" or "low". The bug was discovered by Stanford University, CA, student David Ramos on 26th February.

Content from our partners
Infosecurity Europe 2024: Rethink the power of infosecurity
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond

Ken Westin, senior security analyst at Tripwire, said: "The security community appears to have dodged a bullet with regards to these vulnerabilities. Where many were expecting something along the same lines as Heartbleed, the vulnerabilities announced with a high severity rating will not have a significant impact.

"The CVE-2015-0291 vulnerability could cause a disruption of services, but only in very rare occurrences where a server requests a certificate from a client, something that would happen in rare implementations. The CVE-2015-0204 vulnerability is a reclassification of the FREAK vulnerability we already know about and which also has a limited impact to businesses and requires a number of variables to be in place in order to exploit."

Kevin Epstein, VP of Advanced Security and Governance at Proofpoint, said: "Complex software code, because if its complexity, is likely to have aspects that could allow malicious actors to cause the code to act in ways the developers didn’t intend. This is particularly true of older code, where the climate at the time was such that malicious actors were less of a concern.

"However, if such code is shielded behind additional layers of modern security, then the flaws may not be exposed to malicious actors regardless. In all cases, additional targeted attack protection and automated threat response are crucial; the additional threat intelligence these systems provide and incorporate can help shield organisations from attackers exploiting still unknown flaws."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.