Several security vulnerabilities were discovered in OpenSSL, a critical library for securing communication across the internet. These vulnerabilities could be exploited by attackers to launch denial-of-service (DoS) attacks, potentially disrupting critical services. The Ubuntu security team has swiftly responded by releasing security updates for different Ubuntu releases, including Ubuntu 16.04 and Ubuntu 18.04.
Let’s delve into the specifics of these vulnerabilities:
Four OpenSSL Vulnerabilities Fixed
One of the flaws identified in OpenSSL is the slow checking of excessively long Diffie-Hellman (DH) keys or parameters. This may affect applications using the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() function, potentially leading to denial of service, especially when checking untrusted sources.
After patching CVE-2023-3446. It was found that a large ‘q’ parameter value can trigger prolonged computations during certain checks. Given that a correct q value cannot exceed the modulus p parameter, these checks become unnecessary if q surpasses p. Applications utilizing DH_check() with key or parameters from untrusted sources may result in denial-of-service attacks.
Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. This vulnerability, if exploited, could again cause resource exhaustion, leading to a denial of service.
Processing a maliciously crafted PKCS12 file could crash the OpenSSL service, potentially causing a DoS attack. Applications loading PKCS12 files from untrusted sources may abruptly terminate. Despite the PKCS12 specification permitting certain fields to be NULL, OpenSSL fails to adequately verify this condition, leading to a NULL pointer dereference and subsequent crash.
Mitigation Measures
To safeguard against these vulnerabilities, users are strongly advised to apply security updates promptly by updating their openssl packages. However, it’s worth noting that security updates for Ubuntu 16.04 and Ubuntu 18.04 are exclusively available through Extended Support Maintenance via Ubuntu Pro.
For those seeking a cost-effective alternative to Ubuntu Pro, TuxCare’s Extended Lifecycle Support offers a viable solution. It provides automated vulnerability patches for your end-of-life system for up to five years after standard support ends. This ensures continued security for your Ubuntu 16.04 and Ubuntu 18.04 systems without the high cost of a full Ubuntu Pro subscription.
Conclusion
The patches for these vulnerabilities are already released in TuxCare’s Extended Lifecycle Support for Ubuntu 16.04 and Ubuntu 18.04. By utilizing this extended support, you can effectively address these OpenSSL vulnerabilities and safeguard your end-of-life Ubuntu systems from potential attacks.
Source: USN-6709-1
The post OpenSSL Vulnerabilities Patched in Ubuntu 18.04 appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/openssl-vulnerabilities-patched-in-ubuntu-18-04/
Rohan Timalsina Denial of Service (DoS) attacks, Extended Lifecycle Support, Linux & Open Source News, OpenSSL library, OpenSSL Patches, OpenSSL Patching, openssl vulnerabilities, Ubuntu 16.04, Ubuntu 16.04 End of Life, Ubuntu 18.04 End of Life, ubuntu 18.04 security updates, Ubuntu 18.04 security vulnerabilities, Ubuntu Security Fixes, Ubuntu Security Updates