Phew!
Well, there’s a relief.
When on Monday a brief note appeared on a mailing list announcing that a “high severity” bug in OpenSSL was due to be revealed in a matter of days, I can’t have been the only one dreading that we could be facing another Heartbleed situation.
Here is how that initial announcement was worded:
Fortunately, we now know that although serious and important to fix, the vulnerability isn’t that serious.
Rather than mobile apps, hardware devices, web servers’ private keys and users’ session cookies and passwords being at risk, the high severity flaw announced by OpenSSL on Thursday was a bug that could be exploited by attackers to make servers crash, effectively a way of launching a denial-of-service (DoS) attack.
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
Severity: High
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.
This issue affects OpenSSL version: 1.0.2
OpenSSL 1.0.2 users should upgrade to 1.0.2a.
This issue was was reported to OpenSSL on 26th February 2015 by David Ramos of Stanford University. The fix was developed by Stephen Henson and Matt Caswell of the OpenSSL development team.
A blog post by OpenSSL Project member Mark Cox reveals that there have been no evidence that the bug has been exploited publicly. Furthermore, because the flaw only affects version 1.0.2 of OpenSSL (which was released just a couple of months ago), it’s likely that most servers aren’t using it yet.
Yes, you heard right folks. Sometimes it’s a good thing that people have better things to do than upgrade their software…
In retrospect, maybe it would have been better if that initial announcement had clarified that the “high severity” threat was nothing like the Heartbleed bug that shook companies worldwide last year. Would it have been so difficult to reassure users a little about what type of flaw was scheduled to be fixed?
Of course, no-one should be complacent. The fact that it has now been publicly announced that there is a denial-of-service vulnerability in OpenSSL 1.0.2 might focus attackers’ minds on seeing if they can exploit it for themselves.
Stay ahead of the game by ensuring that you are updating OpenSSL to one of the latest versions to protect against the denial-of-service flaw and other vulnerabilities – 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
It’s just been a few weeks since it was revealed that millions of dollars are being invested in the Linux Foundation’s Core Infrastructure Initiative (CII) to harden open source technologies.
With the likes of Amazon, Google, IBM, Facebook and many others reaching into their pockets to fund an indepth audit of OpenSSL’s code, we shouldn’t be at all surprised if there will be more security updates coming in the near future.
We're all just attention seekers looking to drum up excitement and have people take notice of us, I guess.
Between people slapping logos and brand names on vulns, and others fishing for belly rubs from spooks by writing about espionage, we run the risk of warping the industry into a high-tech marketing circlejerk.
Frankly I don't see the need to hype up vulns. People who's job it is to keep systems up to date shouldn't need whipping up into a frenzy, they should know enough to respond sensibly to vulns and patches, regardless of the clever pun that someone came up with. Everyone else doesn't need to be concerned at all other than out of passing academic interest.
OpenSSL in fairness aren't doing this for money, just attention, but I don't want to see FUD become the standard business model in cyber security though. It creates work for me and hassle from higher ups who don't need to know what a buffer overrun is.
Keep it factual, concise, and do away with the sensationalism.
"Yes, you heard right folks. Sometimes it's a good thing that people have better things to do than upgrade their software…"
I'd like to specifically remark on that from an administrator (this is server specific although part of it applies to workstations), because it is something that many misunderstand or do not think of. Yes, some updates are important and some are absolutely critical. But there is a different between bug fix and new version. For servers, less updates equates to more stability which is what a server needs. At the same time, as for security fixes, if you have a binary distribution (of Linux, say), then it is likely that the fixes will be backported in to the current tree (when they're vulnerable). In short: the more updates there are the more potential problems, and this especially goes for servers; this is why they suggest that some things should not be done on production servers (or any live system that you rely on). This implies that security fixes are important but there is a very big difference between update because of a new version and update because of a bug fix; in the case of openssl, you don't necessarily need the most recent openssl (although some will argue that they 'need' it, I would argue most don't need it but simply feel they do or just want it).
"In retrospect, maybe it would have been better if that initial announcement had clarified that the "high severity" threat was nothing like the Heartbleed bug that shook companies worldwide last year."
If not because of it being a NULL pointer dereference (which does indeed imply a DoS attack), it might also be that the flaw was pointed out to them in bugtraq (or some other medium like bugzilla) and so they felt they didn't need to (the latter is rather common). Hard to know what thinking was involved and it (how to announce something) is one of those things that is debatable.