Contact us: (323) 791-9894 Fax: (626) 382-5666

Bug in OpenSSL – You can kill servers remotely (DoS)

OpenSSL project has just patched two vulnerabilities (marked with risk High). The CVE-2021-3449 vulnerability seems to be more important because it can be used in default configurations.

As we can read here:

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).

Show issues fixed only in OpenSSL