Four days after releasing a new version that fixed several security problems, the OpenSSL maintainers have rushed out another version that patches a vulnerability introduced in version 1.1.0a on Sept. 22.
Last week, OpenSSL patched 14 security flaws in various versions of the software, which is the most widely used toolkit for implementing TLS. One of the vulnerabilities fixed in that release was a low-risk bug related to memory allocation in tls_get_message_header.
“A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion,” the advisory says.
The problem is, the patch for that vulnerability actually introduced a separate critical bug. The new vulnerability, which is fixed in version 1.1.0b, only affected version 1.1.0a, but it can lead to arbitrary code execution.
“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code,” the OpenSSL advisory says.
In addition to the fix for this critical vulnerability, the version released Monday also includes a patch for a bug in 1.0.2i related to certificate revocation lists.
“A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception,” the advisory says.
The OpenSSL Software Foundation typically sends out emails several days ahead of the release of a new version, but because of the unusual circumstances of the vulnerability, the maintainers decided to release the update immediately.
“This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016. Given the Critical severity of one of these flaws we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification,” the advisory says.