OpenSSL Updated -- New Security Vulnerabilities Disclosed -- FREAK and DoS

OpenSSL has received a major update to all branches, introducing versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

They have also released the new list of vulnerabilities that were closed by the new versions. This includes a "severe" rating DoS attack that can overload servers, and a "moderate" rating attack that can corrupt areas of server memory.

They also have reclassified the "FREAK" attack from its original "low" rating to "high" because additional research has shown that there is extensive legacy support for the EXPORT grade RSA keys hanging around in a huge number of apps. Export RSA keys (512-bit RSA) are too weak for 2015 standards and should not be used under any conditions. This is of grave concern because a large number of apps support this key length and OpenSSL had a vulnerability that would allow a man-in-the-middle to downgrade keys to export grade during negotiation. The impact of the attack is severe (loss of all privacy / faulty encryption) but it was originally believed to only be in very rare cases with some legacy software. As it turns out, there are a huge number of apps that support Export, making it a high severity vulnerability that is more widespread than previously thought.

The rest of the updates are moderate to low level severity and mostly circle around "FREAK-like" attacks on various parts of OpenSSL. It appears that the OpenSSL team and open-source researchers were combing through the code looking for places where sending invalid data to OpenSSL would generate errors that could either modify data or encryption or potentially crash the host with heavy resource usage.

VikingVPN Security Impact

These severe vulnerabilities do not impact VikingVPN, as we do not use autonegotiation (required to initiate the FREAK attack) and we have extra layers of security specifically to mitigate man-in-the-middle attacks (the HMAC firewall). The servers may have been vulnerable to the moderate risk denial-of-service attacks, but we saw no evidence of them being used against our network.

It is likely that the Windows OpenVPN client and Tunnelblick, our recommended client for Apple OSX will receive updates in the next 24 hours to pair the software with the new version of OpenSSL. We recommend upgrading to the new releases when they come, but do not foresee any risks with staying with the current OpenVPN version.

The OpenSSL security advisory is here: http://openssl.org/news/secadv_20150319.txt

< last
next >