OpenSSL patches high-severity take-down vulnerability

Get a free Techzine subscription!

The most widely used software library for encrypting website and email encryption, OpenSSL, has patched several high-severity flaws that make it easy for hackers to completely shut down a lot of servers at the same time.

OpenSSL offers users tested cryptographic functions that implement Transport Layer Security protocol. The predecessor to this is the Secure Sockets Layer, which encrypts data flowing between servers and end-user clients.

People developing apps that use TLS rely on the OpenSSL libraries to save time and avoid errors that are common when complex encryptions are the task at hand.

Our dependency on OpenSSL

In 2014, it became clear what the OpenSSL library could lead to when mistakes happen. A critical vulnerability appeared in the open-source code library, allowing users to steal encryption keys, sensitive data, and customer information from servers across the globe.

The flaw was christened Hartbleed and demonstrated how a couple of faulty code lines could compromise the security of banks, law firms, media houses, and more.

On Thursday, OpenSSL maintainers disclosed a vulnerability that they patched immediately. The flaw allows malicious actors to craft requests and send them to the end-user.

The flaw

Tracked as CVE-2021-3449, the flaw is a denial-of-server vulnerability that resulted from a null pointer dereference bug, according to engineer Filippo Valsorda on Twitter. Valsorda says that it could have been discovered earlier than now, adding that it seemed like “you can crash most OpenSSL servers on the internet today.”

During the initial handshake that established secure connections between a server and the user, hackers can exploit the flaw to send a server a malicious renegotiating request.

That would promptly crash it. The vulnerability was reported by researchers on March 17 and now, users of OpenSSL can breathe easy.