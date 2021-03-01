OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers.

[...] On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

"Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added.

CVE-2021-3449 looks like it could have been found easily if anyone figured out how to fuzz renegotiation, but renegotiation is sadness. Anyway, sounds like you can crash most OpenSSL servers on the Internet today. — Filippo Valsorda 💚🤍❤️ ✊ (@FiloSottile) March 25, 2021

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server.

[...] OpenSSL versions 1.1.1h and newer are vulnerable. OpenSSL 1.0.2 is not impacted by this issue. Akamai researchers Xiang Ding and Benjamin Kaduk discovered and reported the bug, respectively. It was patched by Tomáš Mráz, a principal software engineer at Red Hat and a member of the OpenSSL Technical Committee.

Apps that use a vulnerable OpenSSL version should upgrade to OpenSSL 1.1.1k as soon as possible.