OpenSSL Multiple Vulnerabilities (Feb 10, 2017)
OpenSSL is a widely-used software library in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. It contains an open-source implementation of the SSL and TLS protocols. OpenSSL is available for most Unix and Unix-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows.
Multiple vulnerabilities have been discovered in OpenSSL library. An advisory has been released by the vendor here. Among them CVE-2017-3731 is an integer underflow vulnerability leading to an out of bounds read of truncated packet, usually resulting in a crash. CVE-2017-3730 is a NULL pointer dereference vulnerability of bad parameters for a DHE or ECDHE key exchange from malicious server.
The vendor has patched the vulnerabilities. For OpenSSL 1.1.0, please upgrade to 1.1.0d. For Openssl 1.0.2, please upgrade to update to 1.0.2k.
SonicWall threat team has researched these vulnerabilities and released the following IPS signatures to protect their customers:
- IPS:12606 OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow 1
- IPS:12607 OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow 2
- IPS:12608 OpenSSL DHE and ECDHE Parameters NULL Pointer Dereference 1
- IPS:12609 OpenSSL DHE and ECDHE Parameters NULL Pointer Dereference 2
