Network Security, Patch/Configuration Management, Vulnerability Management

OpenSSL patches memory corruption and unauthorized decryption vulnerabilities

OpenSSL issued as a series of patches in conjunction with the disclosure yesterday of six vulnerabilities, including two of high severity.

The first high-severity flaw, CVE-2016-2107, allows adversaries to use a man-in-the-middle technique to initiate a padding oracle attack that can decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI. Such attacks exploit the “padding” process that expands variable-length plaintext messages in order for them to be compatible with cryptography programs.

Ironically, the vulnerability was created when OpenSSL previously issued a fix to prevent Lucky Thirteen timing attacks that can compromise TSL cryptography.

The second major vulnerability, CVE-2016-2108, affected versions of OpenSSL issued prior to April 2015. The bug causing it was fixed back in June 2015, but now more information has come to light on its security implications. According to OpenSSL, the bug was in its ASN.1 standard for encoding, transmitting and decoding data, and could have been exploited to trigger memory corruption.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.