Critical DoS Flaw found in OpenSSL — How It Works


September 23, 2016

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services.

The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u.

The Critical-rated bug (CVE-2016-6304) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project said.

Read full story…