Security Alert
Vulnerabilities in OpenSSL
A Proof of Concept has appeared on the internet with which OpenSSL can be abused. The NCSC has therefore increased the rating of the security advice on the vulnerabilities in OpenSSL announced yesterday to high/high: meaning the chance of abuse in the short term and the potential damage are high. This could, for example, have consequences for the availability of websites.
What is OpenSSL?
OpenSSL is software used as a tool in applications to encrypt communication. Such a tool prevents applications developer from having to write new software for communication encryption. One drawback is that if such a tool contains a vulnerability, all applications using that tool are in trouble. Since OpenSSL is a widely used tool for communication encryption, this is now the case. Because a lot of software that uses OpenSSL is connected to the internet, this makes the problem even bigger.
The site of the Digital Trust Center explains what you can do if you do not have a direct understanding of the technical nature of the software OpenSSL and the specific situation in which this vulnerability can be abused
What does the vulnerability involve?
This concerns a vulnerability in the implementation of TLS renegotiation (CVE-2021-3449), which can be abused for a server crash (Denial of Service), and a vulnerability in the handling of the X509_V_FLAG_X509_STRICT flag (CVE-2021-3450), which makes a Man in the Middle attack possible. The Proof of Concept allows the CVE-2021-3449 vulnerability to be exploited.
CVE-2021-3449 concerns a problem with the server, in the worst case it affects the availability of the functionality concerned. CVE-2021-3450 is a client problem and requires active intervention in local network traffic for abuse (Man in the Middle). This allows the attacker to view and change information. The attack is not noticeable for the client.
Research has shown that CVE-2021-3449 can be mitigated by switching off secure renegotiation. However, the negative consequence of this is that 'insecure renegotiation' remains the only variant. The NCSC advises against the use of insecure renegotiation, as described in our ICT security guidelines for Transport Layer Security (TLS). For CVE-2021-3450, we are currently not aware of any mitigating measures, other than installing the patch.
The NCSC has found that, after installing the update, a server reboot may be required in some cases to fully resolve the vulnerabilities.
Source: NCSC.