April 20, H Security – (International) New version of OpenSSL closes security holes in ASN1 parser. A member of Google’s Security Team told the OpenSSL developers - 18 - of a security hole in the current version of their open source library. The errors occur when parsing ASN1 data via the asn1_d2i_read_bio() function. According to the OpenSSL advisory and the member’s message, the issue affects applications that process external X.509 certificates or public RSA keys. The OpenSSL developers released versions 1.0.1a, 1.0.0i, and 0.9.8v to fix the “ASN1 BIO” problem but the advisories did not state whether the update was urgent. The OpenSSL team discussed a “potentially exploitable vulnerability” and the Google Security Team member provided further details by saying the issue “can cause memory corruption,” but neither spoke about potential consequences. The full scope of the problem will most likely only be revealed once a Metasploit module is released. However, the OpenSSH project’s own SSH server was unaffected. A researcher wrote that sshd verifies RSA keys with the custom openssh_RSA_verify() function which, he said, already helped avoid eight exploitable bugs in the ASN1 parser. Fixed OpenSSL packages for Ubuntu and OpenBSD were already released. Fixes for Red Hat Enterprise Linux and Fedora will be issued soon.
Ali Loney, on April 20, 2012