Recently disclosed vulnerabilities in OpenSSL could leave systems open to denial-of-service attacks at the minimum and, at worst, remote compromises.
Experts recommend that users of affected systems upgrade to OpenSSL 0.9.7c or 0.9.6k. Other applications use OpenSSL's libraries, so companies should check with their software vendors to see whether their software is affected.
All versions of OpenSSL up to and including 0.9.6j and 0.9.7b are affected, according to an advisory by the OpenSSL Project, the group that develops the software. All versions of SSLeay are also susceptible, as is any application that makes use of OpenSSL's ASN.1 library to parse untrusted data.
SSL and TLS are not based on ASN.1, but they rely on ASN.1 objects when dealing with X.509 certificates. ASN.1 is the standard for coding and transmitting complex data structures, similar to XML. The flaws are exploited by deliberately violating the rules of ASN.1.
The problems with ASN.1 date back to last year, when the Security Programming Group at Finland's University of Oulu found vulnerabilities in the Simple Network Management Protocol (SNMP). The SNMP flaws were found in a host of systems, including servers, routers and printers from vendors such as Microsoft, Hewlett-Packard Co., Cisco Systems Inc., Novell Inc. and 3 Com Corp.
The Oulu team discovered the flaws could be exploited by sending data packets that violated the rules of ASN.1. Since then, government officials on both sides of the Atlantic have become interested in other ways ASN.1 could be exploited by consciously violating the rules of the data structure.
The OpenSSL vulnerabilities were found by a testing tool developed by the U.K.-based National Infrastructure Security Co-ordination Centre to test the security of network protocols. The development team of OpenSSL found three flaws with the tool.
So far, not a lot of technical details have been released about the flaws, which is a good thing, because it will buy administrators time to protect their systems, said Aaron Schaub, security analyst at Herndon, Va.-based TruSecure Corp. "This lack of technical data will force underground exploit developers to engage in more extensive research and development efforts in order to craft appropriate exploit code."