The open-source cryptographic library OpenSSL showed the world that it had a major vulnerability this past April. Known as the “Heartbleed” bug, OpenSSL proved itself vulnerable to hackers who wished to exploit its process that functioned to keep two computers in communication with one another. It appears, however, that Heartbleed was not the only flaw because the OpenSSL project recently named six additional vulnerabilities associated with the platform.
The advisory report the group initially released June 5 lists the six vulnerabilities. The list includes a DTLS invalid fragment vulnerability, a SSL/TLS MITM vulnerability, a DTLS recursion flaw, a pointer dereference, a session injection or denial of service, and an Anonymous ECDH denial of service bug.
Out of these six, Tech Republic points out that the first two are most worrisome. OpenSSL describes the DTLS invalid fragment vulnerability as “a buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server.” And it continues by mentioning that the vulnerability “is potentially exploitable to run arbitrary code on a vulnerable client or server.”
Tech Republic points out that this bug can affect businesses utilizing VPN and VoIP platforms because those platforms may require the use of DTLS – a method of encrypting UDP (News - Alert) packets. Hackers taking advantage of the DTLS vulnerability could potentially run code on a business's server from a remote location, so any business in the VPN or VoIP market will want to examine its code to find out if this flaw could hinder its operations.
The other worrisome problem, the SSL/TLC MITM vulnerability, stretches back to the early days of the software, and exploiting this flaw, “an attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” OpenSSL reports. Public Wi-Fi hotspots and open source VPNs may be at risk here, Tech Republic says, and that could result in the vulnerability as able to affect a substantial number of people.
Organizations operating VPNs, VoIP software products, Wi-Fi hotspots, or open source VPNs will want to upgrade their services as quickly as possible. OpenSSL says that the vulnerabilities have been patched and that users can upgrade their software versions to take advantage of those patches. Users of such services may still want to check that the software and platforms have been upgraded and are using that patches so they are not caught in any possible hacker crossfire.
Edited by Alisen Downey