On other occasions we have seen different failures and attacks that can affect the functioning of the servers. In this article we are going to talk about a new bug in OpenSSL that could allow an attacker to bring down a server and stop it from working properly. We are going to explain what exactly this problem consists of and how it can be avoided.
A serious bug in OpenSSL allows you to block servers
This bug has been rated as high severity and affects the OpenSSL software library. It has received a CVSS score of 7.5 and is capable of allowing an attacker to perform DoS or denial of service attacks when parsing certificates. This type of problem is called an infinite loop. The bug is specifically present in a function called BN_mod_sqrt().
The bug has been logged as CVE-2022-0778 and could cause many servers to be taken out of service remotely. The security researchers behind this discovery indicate that certificate parsing is performed before certificate signature verification. This makes any process that parses an externally provided certificate potentially subject to a denial of service attack.
Keep in mind that this is not the first vulnerability to affect OpenSSL so far this year. A little over a month ago there was another registered as CVE-2022-0778, but on that occasion it was rated as moderate in severity, with a CVSS score of 5.9, so it was not as important as the one we are talking about now.
available solution
This serious flaw that affects OpenSSL and allows remote locking of servers affects versions 1.0.2, 1.1.1 and 3.0. Those responsible for the project quickly got down to work to launch a solution as soon as possible. In this way, they released versions 1.0.2zd (available for Premium support customers), 1.1.1n and 3.0.2
The problem is that version 1.1.0 is also affected, but it will not receive any updates as it has reached the end of its useful life. However, there may be many users who still use it and have not switched to more recent ones.
Security researchers have indicated that there is no evidence that this serious vulnerability has been exploited. However, they warn that there are different scenarios in which it can become a major problem and that is why it is advisable to update as soon as possible and avoid problems.
Once again, the importance of always having the latest versions available is demonstrated. It is essential to install any update or patch that appears for a certain operating system, program that we use or driver. In this way you can avoid vulnerabilities that could be exploited by a hacker and compromise your personal information and the proper functioning of the equipment.
There are options to check SSL TLS certificates and vulnerabilities on websites. This will also help you know when a page may have a certificate-related problem and find a solution as soon as possible.
