OpenSSL developers have just announced that the latest version, OpenSSL 1.1.1i, contains a number of patches to fix a critical vulnerability that could be exploited to deploy denial of service (DoS) attacks remotely.
This vulnerability, tracked as CVE-2020-10713, is a critical NULL pointer dereference issue and was reported by David Benjamin from Google’s security team. The flaw is present in all versions 1.1.1 and 1.0.2.
In their report, OpenSSL security teams mention: “X.509 GeneralName is a generic type for representing different types of names. One of those types of names is known as EDIPartyName. OpenSSL provides a GENERAL_NAME_cmp function that compares different instances of GENERAL_NAME to see if they are equal or not. The function behaves unexpectedly when both GENERAL_NAME an EDIPARTYNAME. This could lead to NULL pointer dereference and eventual denial of service.”
Once developers reported the patch, multiple organizations issued security alerts to notify their users of the potential risk associated with the exploitation. In a recent notice, the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators and users to verify which version of OpenSSL their organizations are running, in order to prevent any potential risk.
Linux distributions, including Red Hat, Debian, Ubuntu, and CloudLinux have also issued security notices. Chinese security firm Quihoo 360 claims to have detected millions of vulnerable servers, mainly in the U.S.
Finally, Palo Alto Networks researchers issued a notice last Wednesday to inform their customers that this OpenSSL flaw does not affect their PAN-OS, GlobalProtect App or Cortex XSOAR products: “The conditions for exploiting this vulnerability do not exist in these products,” the company says. More industry organizations could issue their own releases in the coming days.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.