HomeBreaking Newshacking

OpenSSL Project fixed high-severity CVE-2020-1967 DoS issue in OpenSSL

The OpenSSL Project has released a security update for OpenSSL that addresses a DoS vulnerability tracked as CVE-2020-1967. The OpenSSL Project releas

Holy water targets religious figures and charities in Asia
The Australian government wants to respond to attacks on critical infrastructure
France will not ban Huawei from its upcoming 5G networks

The OpenSSL Project has released a security update for OpenSSL that addresses a DoS vulnerability tracked as CVE-2020-1967.

The OpenSSL Project released a security update for OpenSSL that patches a high-severity vulnerability, tracked as CVE-2020-1967, that can be exploited by attackers to launch denial-of-service (DoS) attacks. This is the first issue addressed in OpenSSL in 2020.

The CVE-2020-1967 vulnerability has been described as a “segmentation fault” in the SSL_check_chain function.

“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory published by the OpenSSL Project.

“The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.”

The vulnerability affects OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the release of version 1.1.1g.

The organization pointed out that older versions 1.0.2 and 1.1.0 are not affected by the vulnerability.

This vulnerability was discovered by Bernd Edlinger and reported to OpenSSL on 7th April 2020, the researchers found the issue by using the new static analysis pass being implemented in the GNU Compiler Collection (GCC) static code analyzer. The security duo Matt Caswell and Benjamin Kaduk performed additional analyses.

“This issue did not affect OpenSSL 1.0.2 however these versions are out of support and no longer receiving public updates.” continues the advisory. “Extended support is available for premium support customers:

https://www.openssl.org/support/contracts.html

“This issue did not affect OpenSSL 1.1.0 however these versions are out of support and no longer receiving updates. Users of these versions should upgrade to OpenSSL 1.1.1.”

Pierluigi Paganini

(SecurityAffairs – CVE-2020-1967, hacking)

Share this…
Share on Facebook

Facebook

Tweet about this on Twitter

Twitter

Share on LinkedIn

Linkedin

Share on Reddit

Reddit

Pin on Pinterest

Pinterest




COMMENTS

WORDPRESS: 0
%d bloggers like this:
Close Bitnami banner
Bitnami