Vulnerabilities found in OpenSSL

1 April 2021

In OpenSSL, frequently used software for setting up HTTPS connections, two vulnerabilities have recently been found that can lead to reduced accessibility of websites. Do you use OpenSSL? Check your OpenSSL version so that you can update quickly if necessary.

What exactly is going on?

An example proof-of-concept exploit was published on the widely used platform Github at the end of March, in which two vulnerabilities found are demonstrated. One vulnerability exists in the implementation of TLS renegotiation (CVE-2021-3449), which could be exploited for a DoS (Denial of Service) attack that results in a server crash. The second vulnerability (CVE-2021-3450) enables a Man in the Middle attack, which allows information to be viewed and modified during an attack.

What is the impact?

The National Cyber Security Center (NCSC) has rated the risk of these vulnerabilities as ‘high’ , because the chances of abuse in the short term and the potential damage are high. OpenSSL 1.1.1 and below are vulnerable, OpenSSL 1.0.2 is not vulnerable. Servers are vulnerable if TLSv1.2 and renegotiation are enabled, which is the default configuration.

What can you do?

The OpenSSL Project Team has released a security update for the two vulnerabilities in OpenSSL. Are you using OpenSSL version 1.1.1j or lower? Update to version 1.1.1k as soon as possible.