Archive for the ‘OpenSSL’ Category

UK cyber security officials report Huawei’s security practices are a mess

March 28th, 2019
As Huawei makes its bid to roll out 5G, a UK government oversight board is not exactly thrilled with the company's security practices--or how it makes software.

Enlarge / As Huawei makes its bid to roll out 5G, a UK government oversight board is not exactly thrilled with the company's security practices--or how it makes software. (credit: Getty Images)

In November of 2010, the Chinese networking and telecommunications giant Huawei entered into an agreement with the government of the United Kingdom to allow extensive security reviews of Huawei’s hardware and software—a move intended to belay fears that the company posed a security risk to the UK’s networks. Since then, the Huawei Cyber Security Evaluation Centre (HCSEC) has given UK officials a window into the company’s information security practices. And UK officials haven’t necessarily liked what they’ve seen.

In a report issued today, the HCSEC Oversight Board—a panel including officials from the National Cyber Security Centre, GCHQ and other agencies, as well as a senior executive from Huawei—warned that Huawei had failed to make long-promised changes to its software development and engineering practices needed to improve security.

“HSCE’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators,” the oversight board members noted. “No material progress” had been made in correcting those problems since they were noted last year.

Read 9 remaining paragraphs | Comments

Posted in 5G, Biz & IT, Huawei, Nationa Cyber Security Centre, OpenSSL, Policy | Comments (0)

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug

January 23rd, 2017

It’s more than two and half years since the discovery of the critical OpenSSL Heartbleed vulnerability, but the flaw is still alive as it appears that many organizations did not remediate properly to the serious security glitch.

It was one of the biggest flaws in the Internet’s history that affected the core security of as many as two-thirds of the world’s servers i.e. half a million servers at

Posted in hacking news, Heartbleed bug, Heartbleed OpenSSL Venerability, OpenSSL, OpenSSL Heartbleed, OpenSSL vulnerability, server hacking, Shodan search engine, website hacking | Comments (0)

‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers

December 14th, 2016

Recently we noticed a security patch has been published for the OpenSSL vulnerability called SSL Death Alert. As with other serious security vulnerabilities, this one grabbed our attention because the discoverer of the vulnerability says that it may cause a denial of service to an OpenSSL web server. To better protect our customers from this attack and provide detection and prevention for this vulnerability, the McAfee Labs IPS Vulnerability Research team looked into this issue.

Our analysis started with the patch differences report of the newly pushed code.

2016-12-13-openssl-death-alert-1

As we can see in the diffing results, a couple of files have been modified to fix this problem.

The patch diff of include/openssl/ssl.h reveals the new error code SSL_R_TOO_MANY_WARN_ALERTS (409) has been introduced.

2016-12-13-openssl-death-alert-2

In ssl/record/record_locl.h, we can see the directive MAX_WARN_ALERT_COUNT has been introduced and is set to 5.

2016-12-13-openssl-death-alert-3

Now let’s look into the actual patch, which sits in the files ssl/record/rec_layer_d1.c and ssl/record/rec_layer_s3.c.

The following screen shots show the patch changes in the two files.

ssl/record/rec_layer_d1.c

2016-12-13-openssl-death-alert-4

ssl/record/rec_layer_s3.c

2016-12-13-openssl-death-alert-5

As we can see, the patch is pretty simple and straightforward. It simply counts the layers of consecutive SSL3_AL_WARNING alert packets and checks if the count exceeds five. If the count is greater than five, it raises an error.

Exploiting this issue

To provide detection and prevention for this DoS attack, we created a minimal proof of concept. Although there is no public exploit, the advisory provides a lot of technical details. To exploit this bug, we must initiate the SSL handshake. As a part of the handshake the attacker has to send a genuine Client Hello packet to the server. The following screen shot shows a packet capture of the first stage of the exploit, a normal Client Hello packet.

2016-12-13-openssl-death-alert-6

As described in the security advisory, to exhaust the CPU, we need to send a large number of crafted cleartext SSL3_AL_WARNING alert packets to the server. To do this, we must understand the structure of an alert packet. The message looks like the following, from this TLS protocol memo.

2016-12-13-openssl-death-alert-7

An alert message can be encrypted, but in this case we have to send a cleartext alert to the vulnerable server.

The following screen shot shows captured SSL3_AL_WARNING packets in our test environment.

2016-12-13-openssl-death-alert-8

Next we see multiple alerts packed inside a single record.

2016-12-13-openssl-death-alert-9

The alert packet structure looks like this:

2016-12-13-openssl-death-alert-10

To test the developed exploit, we configured a test server with OpenSSL and self-signed certificate and private key. The following screen shot shows the server listening to port 4433 and communicating with an SSL client.

2016-12-13-openssl-death-alert-11

During normal SSL communications between server and client, we see nothing abnormal with CPU consumption of server processes.

2016-12-13-openssl-death-alert-12

As soon as we run the exploit against the server, however, we immediately see the server process stops responding as CPU usage reaches 99% and then 100% after a few seconds.

2016-12-13-openssl-death-alert-13

The CPU spike causes a denial of service by the OpenSSL Server as it becomes inaccessible. In our test environment, we noticed the SSL service resumes as soon as we stop the exploit from sending malicious packets.

Server administrators should apply the patch to OpenSSL servers as soon as possible. McAfee Network Security Platform (IPS) signature 0x45c09000 provides detection and prevention for this attack.

The post ‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers appeared first on McAfee Blogs.

Posted in McAfee Labs, OpenSSL, Vulnerability | Comments (0)

OpenSSL Releases Patch For “High” Severity Vulnerability

November 10th, 2016

As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software.

The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites.

The vulnerability, reported by Robert Święcki of the Google Security Team on

Posted in ddos attack, dos attack, OpenSSL, OpenSSL vulnerability, secure communication, SSL Certificate, SSL encryption, website security | Comments (0)

Critical DoS Flaw found in OpenSSL — How It Works

September 23rd, 2016

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well

Posted in ddos attack, denial-of-service attacks, digital Certificate, dos attack, hacking news, OpenSSL, OpenSSL vulnerability, SSL Certificate, Vulnerability | Comments (0)

OpenSSL Patches Bring Last Update for 0.9.8 and 1.0.0 Branches

December 4th, 2015

The OpenSSL Software Foundation patched four vulnerabilities on Thursday, likely the last time that two older versions of the software library will receive updates.

Posted in DOS, OpenSSL, OpenSSL updates, patches, vulnerabilities, Web Security | Comments (0)

Core Infrastructure Initiative Launches Open Source Security Badge Program

August 18th, 2015

The Core Infrastructure Initiative, which has funded OpenSSL among other open source security projects, announced a badge program that evaluates secure development best practices.

Posted in Adam Shostack, CII, Core Infrastructure Initiative, Emily Ratliff, Open Source, Open Source Security, OpenSSL, OpenSSL audit, Secure development, Tom Ritter, vulnerabilities, Web Security | Comments (0)

Census Project Identifies Open Source Tools at Risk

July 10th, 2015

The Linux Foundation’s Core Infrastructure Initiative announced it was releasing to open source data from the Census Project, which uses metrics identify under-resourced open source projects at risk.

Posted in Census Project, Core Infrastructure Initiative, critical infrastructure, David Wheeler, Emily Ratliff, Florian Weimer, Linux Foundation, Open Source Security, open source software, OpenSSL, OpenSSL audit, security metrics, vulnerabilities, Web Security | Comments (0)

Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate

July 9th, 2015

The mysterious security vulnerability in the widely used OpenSSL code library is neither HeartBleed nor FREAK, but it’s critical enough to be patched by sysadmins without any delay.

OpenSSL Foundation released the promised patch against a high severity vulnerability in OpenSSL versions 1.0.1n and 1.0.2b, resolving a certificate forgery issue in the implementations of the crypto protocol.

Posted in CVE-2015-1793, hacking news, OpenSSL, OpenSSL vulnerability, SSL TLS security, Vulnerability, website security, Zero-Day Vulnerability | Comments (0)

OpenSSL to Patch Undisclosed High Severity Vulnerability this Thursday

July 7th, 2015

Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July.

OpenSSL is a widely used open-source software library that provides encrypted Internet connections using SSL/TLS for majority of websites, as well as other secure services.

The new versions of

Posted in hacking news, Heartbleed bug, HTTPS encryption, OpenSSL, OpenSSL vulnerability, POODLE SSL Attack, SSL TLS security, SSL vulnerability, Vulnerability | Comments (0)