Threat Watch

OpenSSL Update Fixes Two High-Severity Vulnerabilities

The OpenSSL project released a new build yesterday that includes fixes for two vulnerabilities. CVE-2021-3449 allows for a denial of service against servers. If a maliciously crafted request to the ClientHello is sent to the server without the signature_algorithms extension but includes the signature_algorithms_cert extension in a renegotiation, the server can crash. Exploiting this vulnerability to crash the server is trivial, especially if the vulnerable device is accessible from the Internet. CVE-2021-3450 affects both client and servers. Due to improper validation, it is possible to issue certificates with a regular, non-Certificate Authority certificate.


OpenSSL versions 1.1.1 through 1.1.1j are affected by these two vulnerabilities. Administrators and developers using these versions are advised to update to OpenSSL 1.1.1k as soon as possible to avoid potential disruptions. Because OpenSSL is used by so many software projects (both commercially supported and open source) and included in many embedded systems, known as the Internet of Things (IoT), it is likely that significant analysis effort will have to be performed by security defenders for organizations to determine all of the systems that are affected. Many IoT devices will require manual patching, and patches may not even be available for software products that are no longer supported. Security administrators should carefully consider whether to continue to allow unpatched software or devices to run or mitigate their exposure by implementing firewall rules to limit the network traffic to them.