Daily Archives: December 6, 2015

OpenSSL Releases Security Updates December 2015

On the 3rd of December the OpenSSL project made security updates available for the following versions of OpenSSL:

  • OpenSSL 0.9.8zh: 1x CVE (defined) resolved: Moderate severity
  • OpenSSL 1.0.0t: 2x CVEs resolved: 1x moderate severity, 1x low severity
  • OpenSSL 1.0.1q: 2x CVEs resolved: 2x moderate severity
  • OpenSSL 1.0.2e: 3x CVEs resolved: 3x moderate severity

Why Should These Issues Be Considered Important?
OpenSSL versions 1.0.1 and 1.0.2 are vulnerable to a moderate Denial of Service (DoS)(defined) attack which can affect both client and servers which perform certificate verification.

OpenSSL versions 1.0.0, 1.0.1 and 1.0.2 are vulnerable to a low severity race condition (see Aside below for a definition) which can result in a double free (use after free issues are defined here) of the identity hint data.

Moreover, all versions of OpenSSL are vulnerable to a moderate issues resulting from a memory leak when a malformed X509_ATTRIBUTE structure is presented.

Finally, and most importantly it should be noted that OpenSSL 0.9.8 and 1.0.0 will no longer receive security updates after the 31st of December this year. As mentioned by the OpenSSL team in the absence of significant security issues with the most recent updates for these versions, those updates will be the last to be created for them.

If you or your organization, make use of any software that uses these older versions of OpenSSL you are strongly advised to upgrade to the newer versions 1.0.1 (which will be supported until the end of 2016) or 1.0.2 (will be supported until the end of 2019). These dates were provided by the OpenSSL team within their Release Strategy page.

How can I protect myself from this issue?
For any server that you manage that uses OpenSSL, please update your OpenSSL installations to 0.9.8zh, 1.0.0t, 1.0.1q or 1.0.2e (as appropriate).

  • FTP mirrors to obtain the necessary downloads are available from here.
  • Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation.

Thank you.

=======================
Aside:
What is a race condition?

If two or more applications/entities try to complete/carry out a task or make a change to the data contained within one object at exactly the same time; an unusual/invalid outcome can happen if the task/change does not happen in the correct order.

My thanks to Shon Harris for inspiring this definition from her book “CISSP All-in-One Exam Guide, 6th Edition” (McGraw-Hill Osborne, 2013).
=======================

Cisco Issues Security Update to WebEx Android App

Last week Cisco issued a security update for their WebEx Meetings Android App to resolve a severe permissions issue.

Why Should This Issue Be Considered Important?

This is a serious security issue that could lead to information disclosure and an elevation of privilege (defined) attack. It’s present in all versions of the app that are older than version 8.5.1. As Cisco discusses in it’s security advisory this issue could be exploited by a remote attacker with no previous access to the app by tricking the user of the smartphone into downloading another app that exploits this issue within the WebEx app. If this were to happen any information and permissions/access that the WebEx app has will be then available to the malicious app.

In addition, there are no workarounds for this issue. At this time Cisco has not seen any evidence to show that this issue has been used by attackers.

How Can I Protect Myself From This Issue?
Cisco have released an updated version of the WebEx app to address this issue. The updated app is available from this link (Google Play Store). Graham Cluley’s blog post also contains one piece of further important advice to stay safe when downloading apps or app updates.

Thank you.