Error in parsing OpenSSL certificates causes denial of service loop

Sicherheit (Pexels, allgemeine Nutzung)[German]OpenSSL has released a security update to close a vulnerability in the library. The BN_mod_sqrt() function used to compute a modular square root contains an a flaw that could cause an infinite loop to be run for non-primary moduli. The vulnerability, if exploited, would lead to denial of service loops. This is according to this OpenSLL security alert. Internally, this feature is used when parsing certificates that contain elliptic curve keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by creating a certificate that contains invalid explicit curve parameters.The update is intended to fix the vulnerability. In addition to the notes in the security alert above, the colleagues at Bleeping Computer have published this post about it.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *