AL2021_09 OpenSSL Releases Patches for 2 High-Severity Security Vulnerabilities (25th March, 2021)

Description

OpenSSL has published a security update for its recently discovered vulnerabilities in its software which can be used to carry out denial-of-service (DoS) attacks on 25th March, 2021. It is recommended that you take the necessary precautions by ensuring your products are always updated.

How it works

Two vulnerabilities, CVE-2021-3449 and CVE-2021-3450, were discovered within the OpenSSl software. CVE-2021-3449 concerns a potential DoS risk arising due to NULL pointer dereferencing that can cause an OpenSSL TLS server to crash if in the course of renegotiation, the client transmits a malicious “ClientHello” message during the handshake between the server and a user.

CVE-2021-3450, relates to an X509_V_FLAG_X509_STRICT flag that enables additional security checks of certificates present in a certificate chain. While this flag is not set by default, an error in the implementation meant that OpenSSL failed to check that "non-CA certificates must not be able to issue other certificates," resulting in a certificate bypass.

Solution

OpenSSL has addressed these two vulnerabilities with OpenSSL version 1.1.1k update

For more information on this OpenSSL update you can follow this URL:

https://www.openssl.org/news/secadv/20210325.txt

The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.

References