Welcome to the Acumen Security Blog

Archives for July 2015

OPENSSL: SEVERE UNDISCLOSED BUG

A new version of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, is due to be released this Thursday July 9th, patching a “high severity” vulnerability. The developers of OpenSSL posted the following announcement to their message boards at openssl.org –

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”

According to some speculations this new vulnerability won’t be anything as serious as “Heartbleed” – but classifying the vulnerability as high severity means it can definitely open doors to some serious attacks, such as, remote code execution attacks, denial of service (DOS) attacks, etc. However, it is still not clear what type of vulnerability researchers have discovered and details of the patch have been kept secret in order to avoid security breaches with the exception of stating that the update also takes care of the Logjam (CVE-2015-4000) vulnerability. This is a TLS bug that can be exploited by a MITM allowing an attacker to read and alter encrypted data.

So, a word of advice to all those dealing with OpenSSL projects, “keep an eye on this important update on Thursday July 9th and be prepared to patch the systems as soon as possible”. You owe it to your own security and also to the security of your users.

[Read more…]