OpenSSL has published a security update for its recently discovered vulnerabilities in its software which can be used to carry out denial-of-service (DoS) attacks on 25th March, 2021. It is recommended that you take the necessary precautions by ensuring your products are always updated.
How it works
Two vulnerabilities, CVE-2021-3449 and CVE-2021-3450, were discovered within the OpenSSl software. CVE-2021-3449 concerns a potential DoS risk arising due to NULL pointer dereferencing that can cause an OpenSSL TLS server to crash if in the course of renegotiation, the client transmits a malicious “ClientHello” message during the handshake between the server and a user.
CVE-2021-3450, relates to an X509_V_FLAG_X509_STRICT flag that enables additional security checks of certificates present in a certificate chain. While this flag is not set by default, an error in the implementation meant that OpenSSL failed to check that "non-CA certificates must not be able to issue other certificates," resulting in a certificate bypass.
OpenSSL has addressed these two vulnerabilities with OpenSSL version 1.1.1k update
For more information on this OpenSSL update you can follow this URL:
The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.
- Lakshmanan, Ravie (26th March 2021). OpenSSL Releases Patches for 2 High-Severity Security Vulnerabilities. Retrieved from https://thehackernews.com/2021/03/openssl-releases-patches-for-2-high.html
- Kovacs, Eduard (25th March 2021). OpenSSL 1.1.1k Patches Two High-Severity Vulnerabilities. Retrieved from https://www.securityweek.com/openssl-111k-patches-two-high-severity-vulnerabilities