Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday April 24 2020, @06:42PM   Printer-friendly
from the update-your-packages-now dept.

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps
Static analyzer proves its worth with discovery of null-pointer error

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.

Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by sending specially crafted messages while setting up a TLS 1.3 connection.

This means it's possible to disrupt or knock offline HTTPS websites that use a vulnerable version of the crypto library, by sending a prod-of-death. It can also be used by rogue servers to crash web browsers and other apps connecting in.

OpenSSL is a software library widely used to provide encrypted connections across networks and the internet. Here's the technical description from the OpenSSL maintainers of the flaw:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

[...] The analyzer is available from the master branch of the GCC 10 source code. It's hoped the feature will be finalized in time for version 10's official release, due this month or next. The current latest version is 9.3.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday April 26 2020, @02:16AM

    by Anonymous Coward on Sunday April 26 2020, @02:16AM (#987167)

    (same poster)

    Perhaps a good idea is to charge a small account maintenance fee but to give the account a transaction fee credit in exchange. So what the account loses in the form of account maintenance fees it makes back in the form of saving on transaction fees later on so there is little to no net loss on the account.

    Of course there is an associated cost to keeping track of how much credit each account has so perhaps if the account eventually goes to zero due to account maintenance fees and has no activity for an extended period of time it could start slowly losing its transaction fee credit until it has no transaction fee credit and there is no reason to keep a recent record of any account information.

    Just some random thoughts.