On Monday, the OpenSSL project team announced new releases that would be available today to fix security issues in OpenSSL that have been discovered as part of a major security audit and code refactoring project. When this announcement hit on Monday, there was a general panic in the IT and security community as it was mentioned vulnerabilities with a high severity were being patched, leading many to believe it could be as severe as Heartbleed.
Luckily it appears the security community has dodged a bullet as the two “high severity” vulnerabilities that were patched are not as severe as Heartbleed. The two high severity vulnerabilities are CVE-2015-0291 and CVE-2015-0204. The CVE-2015-0291 vulnerability impact results in a potential denial of service attack against a server that requests a client’s cert, which is not something that would occur in most circumstances as it is usually the client that requests the server’s certificate.
The CVE-2015-0204 vulnerability is a reclassification of the existing and well known FREAK vulnerability (CVE-2015-0204 & CVE-2015-1637), rules for detection are already available in Tripwire IP360. Below are the two high severity vulnerability descriptions from the advisory provide by the OpenSSL project:
CVE-2015-0291 – OpenSSL 1.0.2 ClientHello sigalgs DoS
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.
This issue affects OpenSSL version: 1.0.2
OpenSSL 1.0.2 users should upgrade to 1.0.2a.
This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.
CVE-2015-0204 – Reclassified: RSA silently downgrades to EXPORT_RSA [Client]
This security issue was previously announced by the OpenSSL project and
classified as “low” severity. This severity rating has now been changed to
This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.