Security News

A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve. The vulnerability stems from a bug in the BN mod sqrt() function, which the OpenSSL team said is used to parse certificates that "Contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form." As it turns out, all you need to do to trigger an infinite loop in BN mod sqrt() is hand an OpenSSL-based application or service a certificate with invalid explicit curve parameters.

Simply put, some internal errors in OpenSSL - a genuine but unlikely error, for example, such as running out of memory, or a flaw elsewhere in OpenSSL that provokes an error where there wasn't one - don't get reported correctly. Instead of percolating back to your application precisely, these errors get "Remapped" as they are passed back up the call chain in OpenSSL, where they ultimately show up as a completely different sort of error.

Offensive Security has released Kali Linux 2021.3, the latest version of its popular open source penetration testing platform. OpenSSL has been configured for wider compatibility, allowing the use of legacy protocols, meaning that Kali can now talk to older, legacy systems that use them.

Learn tips on how you can use the Linux openssl command to find critical certificate details. It's important to not only keep an eye on upcoming SSL certificate expirations but to completely verify the success of renewing/replacing these certificates.

The OpenSSL Project has released OpenSSL 3.0, a major new stable version of the popular and widely used cryptography library. OpenSSL contain an open-source implementation of the SSL and TLS protocols, which provide the ability to secure communications across networks.

The OpenSSL team has released version 3.0 of its eponymous secure communications library after a lengthy gestation period. Coming nearly three years after its predecessor, version 1.1.1, the update lays claim to 17 alpha releases, two beta releases, and more than 7,500 commits.

Network-attached storage appliance maker QNAP said it's currently investigating two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable. "A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash," according to the advisory for CVE-2021-3711.

On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service bugs, fixed last week, that affect its network-attached storage devices. Many popular open-source programming libraries that support it - including OpenSSL, LibreSSL and BoringSSL, "Have kept old-school product names for the sake of familiarity," Ducklin commented in a recent drilldown into the OpenSSL bugs.

Network-attached storage maker QNAP is investigating and working on security updates to address remote code execution and denial-of-service vulnerabilities patched by OpenSSL last week. The security flaws tracked as CVE-2021-3711 and CVE-2021-3712, impact QNAP NAS device running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync, according to advisories [1, 2] published earlier today.

The well-known and widely-used encryption library OpenSSL released a security patch earlier this week. Despite having TLS support as its primary aim, OpenSSL also lets you access the lower-level functions on which TLS itself depends, so you can use the libcrypto part of OpenSSL to do standalone encryption, compute file hashes, verify digital signatures and even do arithmetic with numbers that are thousands of digits long.