Security Affairs
Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

OpenSSL will patch this week high severity vulnerability

The OpenSSL Project announced early this week that it will release as soon as possible updates to that patch multiple vulnerabilities. One of the flaws that affect the popular toolkit has a “high” severity. The Project plans to release OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u next Thursday. The OpenSSL Project confirmed that the security updates that will […]

OpenSSL will patch this week high severity vulnerability

The OpenSSL Project announced early this week that it will release as soon as possible updates to that patch multiple vulnerabilities.

One of the flaws that affect the popular toolkit has a “high” severity.

The Project plans to release OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u next Thursday. The OpenSSL Project confirmed that the security updates that will be released on September 22 will fix a flaw having a high severity, one having a moderate severity, meanwhile, the remaining ones have all low severity.

The time to fix a flaw depends on its severity, usually high severity issues are fixed within a month by experts at the OpenSSL Project, meanwhile, critical issues are fixed as soon as possible to avoid exploitation in the wild.

The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31. The 1.1.0 branch was launched on August 25.

The OpenSSL Project has already issued three security patches this year that addressed a total of 16 vulnerabilities.

In May, the OpenSSL project fixed the CVE-2016-2107 flaw that affected the open-source cryptographic library and could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

According to the experts, the flaw was affecting the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.

“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same  bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”

According to the security firm High-Tech Bridge, on May 31th many of the Alexa Top 10,000 websites were still vulnerable to the OpenSSL flaw CVE-2016-2107 despite the OpensSSL Project issued the fix on May 1st.

CVE-2016-2107 OpenSSL Flaw

Earlier this year the OpenSSL Project released versions 1.0.2f and 1.0.1r to fix a high-severity vulnerability (CVE-2016-0701) that allows attackers to decrypt secure traffic. The developers also patched two separate vulnerabilities in the toolkit, the most severe affected the implementations of the Diffie-Hellman key exchange algorithm presents only in OpenSSL version 1.0.2.

Another round of security updates released in March fixed vulnerabilities, including the DROWN flaw that could be exploited by attackers to access users’ sensitive data over secure HTTPS communications. In March, security experts estimated that the DROWN vulnerabilities affected a quarter of the top one million HTTPS domains and one-third of all HTTPS websites at the time of disclosure.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – security, encryption)