In the two months since the OpenSSL vulnerability known as Heartbleed hit the headlines and active solutions were offered to plug the security breach, more vulnerabilities have begun to surface.
The OpenSSL project has announced six additional vulnerabilities for the organization's cryptography platform, creating some concern that there are additional flaws yet to be uncovered. That latest batch of vulnerabilities include denial of service, information disclosure and potential remote code execution - all of which should be of a major concern to anyone protecting corporate IT resources.
Two particularly troublesome flaws
Of the six newly identified flaws, two seem to be the most troublesome. Those two flaws are identified by OpenSSL's nomenclature as CVE-2014-0195 and CVE-2014-0224. OpenSSL describes CVE-2014-0195 as "A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server."
Simply put, that means remote code execution can be a possibility and anyone deploying DTLS needs to be keenly aware of the magnitude of that threat. DTLS is a relatively new extension, which allows for the encryption of UDP packets and is used by some VPN and VOIP solutions. So those leveraging OpenSSL technology for their VPN and VOIP solutions need to check if DTLS is in use to mitigate the problem.
An even more troublesome threat comes in the form of CVE-2014-0224, an unexciting moniker for what could turn out to be a tremendous problem, espescially since all versions of OpenSSL acting as a client are vulnerable.
The CVE-2014-0224 flaw goes back to the 1998, when the code was first originated, meaning that versions 1.0.1 and higher of the server are vulnerable. However, the vulnerability only exists if both the client and the server are running vulnerable versions of OpenSSL.
A toothless threat?
While that may sound like a serious problem, the fact of the matter is that although the impacted SSL/TLS component is most commonly used for browsing the web, The most popular browsers (Firefox, Chrome and Internet Explorer) do not use OpenSSL for their cryptographic functions - meaning that CVE-2014-0224 may be a toothless threat for the majority of users.
Nonetheless, there are situations where SSL/TLS and OpenSSL are quite common, take for example public WiFi hot spots and open source VPNs. Simply put, there are a whole lot of applications using OpenSSL as evidenced by the impact of Heartbleed.
So, what exactly can you do to minimize those threats? Have users avoid using unencrypted public WiFi for important communications and patch early and often - vendors that use OpenSSL are scrambling to post updates for applications and solutions, with many programs computers and Android smartphones being updated automatically over the next few weeks. For those managing Linux and Unix servers or workstations, updates should already be available from your OS distribution, apply them now (and restart affected services).