Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday April 24 2020, @06:42PM   Printer-friendly
from the update-your-packages-now dept.

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps
Static analyzer proves its worth with discovery of null-pointer error

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.

Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by sending specially crafted messages while setting up a TLS 1.3 connection.

This means it's possible to disrupt or knock offline HTTPS websites that use a vulnerable version of the crypto library, by sending a prod-of-death. It can also be used by rogue servers to crash web browsers and other apps connecting in.

OpenSSL is a software library widely used to provide encrypted connections across networks and the internet. Here's the technical description from the OpenSSL maintainers of the flaw:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

[...] The analyzer is available from the master branch of the GCC 10 source code. It's hoped the feature will be finalized in time for version 10's official release, due this month or next. The current latest version is 9.3.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by dwilson on Saturday April 25 2020, @02:19AM (3 children)

    by dwilson (2599) Subscriber Badge on Saturday April 25 2020, @02:19AM (#986805) Journal

    What about LibreSSL [libressl.org]? More or less API-compatible with OpenSSL, and run by the OpenBSD project.

    --
    - D
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by gtomorrow on Saturday April 25 2020, @09:38AM (2 children)

    by gtomorrow (2230) on Saturday April 25 2020, @09:38AM (#986872)

    To you and OP, is there a tl;dr version about how to go about switching from OpenSSL to (for example) LibreSSL?

    • (Score: 0) by Anonymous Coward on Saturday April 25 2020, @11:01AM

      by Anonymous Coward on Saturday April 25 2020, @11:01AM (#986881)

      There used to be a couple of big packages that needed patches, but I don't think that's a problem anymore. Probably your distro has a package that just works.

    • (Score: 2) by dwilson on Saturday April 25 2020, @04:39PM

      by dwilson (2599) Subscriber Badge on Saturday April 25 2020, @04:39PM (#986997) Journal

      To you and OP, is there a tl;dr version about how to go about switching from OpenSSL to (for example) LibreSSL?

      As an end-user, or as a developer that's currently linking against OpenSSL? Either way, some distro's make it easier than others. Gentoo has a pretty decent write-up [gentoo.org] for switching to LibreSSL. I don't know what other distribution's offer in terms of documentation.

      But when dealing with something as widespread and fundamental as an ssl library, the tl;dr for just about any migration-situation is: "It's gonna be a crapshoot, get to it and good luck".

      --
      - D