Now a refresher for the enthusiastic...
One way or another you heard about the Heartbleed vulnerability in the Open SSL package. If you didn't then a littl technical lesson:
OpenSSL is the open source implementation of the SSL/TLS. or in other words if you want something like HTTPS on your website you can use this package. HTTPS makes you talk to a server in encrypted traffic so no one can eavesdrop. Heartlbleed bug simply sends to the server a request like "hello" which is 5 letters and asks it o reply back with it, normally it will reply with 5 letters also. BUT here is the trick the attacker will ask the server to reply with more and up to 64KB of data, from where does it get it?? well from the memory dump, so this will dump any thing in the server, DANGEROUS because who knows what will be revealed, passwords, accounts, credit cards...etc.
Now topping it up OpenSSL foundation released a patch 6 vulnerabilities to stop Man-in-the-middle attack or MiTM in short, here are those vulnerabilities:
DTLS invalid fragment vulnerability (CVE-2014-0195): Sending invalid DTLS fragments to a OpenSSL DTLS client or server can lead to a buffer overrun attack. A potential hacker could exploit this flaw to run arbitrary code on a vulnerable client or server. This vulnerability also marked as critical bug.DTLS mainly used in VOIP and other communication related applications like Cisco Systems’ AnyConnect VPN Client. Chrome and Firefox web browser also support DTLS for WebRTC (Web Real-Time Communication) for P2P file sharing and Voice/Video Chats.
DTLS recursion flaw (CVE-2014-0221): A remote attacker can send an invalid DTLS (Datagram Transport Layer Security) handshake to an OpenSSL DTLS client, which will force the code to re-curse eventually crashing in a DoS attack. This attack is limited to the applications using OpenSSL as a DTLS client.
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198), allows remote attackers to cause a denial of service via a NULL pointer dereference.
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298), allows remote attackers to inject data across sessions or cause a denial of service.
Anonymous ECDH denial of service (CVE-2014-3470), OpenSSL TLS clients enabling anonymous ECDH (Elliptic Curve Diffie Hellman) ciphersuites are subject to a denial of service attack.
But the good news is that these vulnerabilities are not as critical as Heartbleed bug. The patched versions 0.9.8za, 1.0.0m and 1.0.1h are available on the project website to download and The OpenSSL Foundation is urging companies to update their implementation as soon as possible.
No comments:
Post a Comment