• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers

You are here: Home / General Cyber Security News / New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers
March 16, 2022

OpenSSL

The maintainers of OpenSSL have delivered patches to solve a large-severity security flaw in its program library that could direct to a denial-of-support (DoS) affliction when parsing certificates.

Tracked as CVE-2022-0778 (CVSS score: 7.5), the issue stems from parsing a malformed certificate with invalid specific elliptic-curve parameters, ensuing in what’s called an “infinite loop.” The flaw resides in a perform referred to as BN_mod_sqrt() which is employed to compute the modular square root.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper take secure and enxrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized seller: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Automatic GitHub Backups

“Because certificate parsing transpires prior to verification of the certificate signature, any course of action that parses an externally equipped certification might hence be subject to a denial-of-service attack,” OpenSSL said in an advisory published on March 15, 2022.

“The infinite loop can also be attained when parsing crafted non-public keys as they can have specific elliptic-curve parameters.”

When there is no proof that the vulnerability has been exploited in the wild, there are a couple of eventualities where by it could be weaponized, like when TLS clients (or servers) access a rogue certificate from a malicious server (or customer), or when certification authorities parse certification requests from subscribers.

The vulnerability impacts OpenSSL versions 1..2, 1.1.1, and 3., the task proprietors tackled the flaw with the launch of variations 1..2zd (for top quality assist buyers), 1.1.1n, and 3..2. OpenSSL 1.1., although also influenced, will not obtain a deal with as it has attained stop-of-daily life.

Prevent Data Breaches

Credited with reporting the flaw on February 24, 2022 is Google Challenge Zero security researcher Tavis Ormandy. The resolve was produced by David Benjamin from Google and Tomáš Mráz from OpenSSL.

CVE-2022-0778 is also the next OpenSSL vulnerability settled since the start of the calendar year. On January 28, 2022, the maintainers mounted a moderate-severity flaw (CVE-2021-4160, CVSS rating: 5.9) influencing the library’s MIPS32 and MIPS64 squaring method.

Discovered this write-up fascinating? Follow THN on Fb, Twitter  and LinkedIn to read a lot more special information we article.


Some sections of this article are sourced from:
thehackernews.com

Previous Post: «fbi, cisa warn of russian hackers exploiting mfa and printnightmare FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers
  • FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug
  • Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters
  • NortonLifeLock and Avast merger could reduce competition, CMA warns
  • Thousands of Mobile Apps Expose User Data Via Cloud Misconfigurations
  • NSW ditches e-voting system for 2023 election
  • Kaspersky Hits Back at “Politically Motivated” BSI Advisory
  • Germany advises against using Kaspersky software due to hacking risk
  • CISA: Fix MFA and Patch Promptly to Stop Russian Attackers
  • German Government Warns Against Using Russia’s Kaspersky Antivirus Software

Copyright © TheCyberSecurity.News, All Rights Reserved.