Security News

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512. OpenSSL 3.0.4 "Is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken.

If you're an OpenSSL user, you're probably aware of the most recent high-profile bugfix release, which came out back in March 2022. Given the important "Teachable moments" revealed by this bug, we covered it in detail not only on Naked Security, where we explained how to write a better style of code, but also on Sophos News, where SophosLabs showed the gory details of how a booby-trapped certificate could trigger the flaw, and how to debug the code to understand the bug.

American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago.Even though the OpenSSL team released a patch two weeks ago when it publicly disclosed the bug, customers will have to wait until later this month when Palo Alto Networks plans to release security updates.

Customers of Taiwan-based QNAP Systems are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has warned affects most of its network-attached storage devices. Though the bug - tracked as CVE-2022-0778 and rated 7.5 on the CVSS severity-rating scale - has been patched by OpenSSL, QNAP hasn't gotten around to applying a fix yet for its NAS devices affected by the vulnerability.

Taiwanese company QNAP this week revealed that a selected number of its network-attached storage appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library. "An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS," the company said in an advisory published on March 29, 2022.

Taiwan-based network-attached storage maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago. Attackers can exploit the vulnerability, tracked as CVE-2022-0778, to trigger a denial of service state and remotely crash unpatched devices.

Amusingly, if we're allowed to say that, the bug only gets triggered if a program decides to do the right thing when making or accepting a secure connection, and verifies the cryptographic certificate supplied by the other end. The OpenSSL implementation of the Tonelli-Shanks algorithm had a bug problem that was unlikely to show up in normal use, but could be triggered on purpose by feeding in data that would force the code to misbehave.

OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions. Certificates causing DoS. In this case, the high-severity OpenSLL problem lies in a bug on the BN mod sqrt() function, that if served a maliciously crafted certificate to parse, it will enter an infinite loop.

The maintainers of OpenSSL have shipped patches to resolve a high-severity security flaw in its software library that could lead to a denial-of-service condition when parsing certificates. "Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack," OpenSSL said in an advisory published on March 15, 2022.

A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve. The vulnerability stems from a bug in the BN mod sqrt() function, which the OpenSSL team said is used to parse certificates that "Contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form." As it turns out, all you need to do to trigger an infinite loop in BN mod sqrt() is hand an OpenSSL-based application or service a certificate with invalid explicit curve parameters.