Security News > 2021 > August > Big bad decryption bug in OpenSSL – but no cause for alarm

Big bad decryption bug in OpenSSL – but no cause for alarm
2021-08-27 18:03

The well-known and widely-used encryption library OpenSSL released a security patch earlier this week.

Despite having TLS support as its primary aim, OpenSSL also lets you access the lower-level functions on which TLS itself depends, so you can use the libcrypto part of OpenSSL to do standalone encryption, compute file hashes, verify digital signatures and even do arithmetic with numbers that are thousands of digits long.

You can can safely treat OpenSSL's ASN.1 strings as C strings, but only if they were generated by OpenSSL's special "Always add the NUL byte" functions, otherwise you could end up with an unterminated string, and all the problems that can cause.

As a result, with clever shenanigans, it might be possible for an attacker to trick OpenSSL into printing out data that goes beyond the end of the memory buffer.

So the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don't think you can open up a session in which the buggy code could be triggered.

Although most software on Windows, Mac, iOS and Android will not be using OpenSSL, because those platforms have their own alternative TLS implementations, some software may include an OpenSSL build of its own and will need updating independently.


News URL

https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119