“OpenSSL has released a security update to address a vulnerability affecting all versions of 1.0.2 and 1.1.1 released before version 1.1.1i. An attacker could exploit this vulnerability to cause a denial-of-service condition.”

A NULL pointer dereference and a crash could occur leading to a possible denial of service attack, when a function responsible for comparing GENERALNAMEs in a cert, behaves incorrectly. This bug affects the availability of all unpatched OpenSSL systems.

According to OpenSSL.org, “All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked.” OpenSSL version 1.1.1 should upgrade to 1.1.1i. All other version are out of support and they should be upgraded to 1.1.1i.

Universally, all *nix based devices, big or small, appliance or physical/virtual machines, use OpenSSL for SSH communication and providing SSL capabilities via web server(s) or any other rest APIs. So, potentially this bug affects millions of devices across the internet. Though at this point, this bug only causes a denial of service, and no remote code execution is possible, it is worthwhile to patch / upgrade to avoid “availability” problems.

A malicious attacker could force a service using OpenSSL (SSH,SFTP,SSL,HTTPS, RESTAPIs, OpenVpn etc.,) to perform this check using a specially crafted certificate, thereby triggering this vulnerability resulting in a crash of the service.

What devices are affected?

Any and all devices using OpenSSL are affected. This includes web servers, proxy devices, load balancer(s), SSL VPN gateways, security appliances that rely on OpenSSL, SSH based access systems, IOT devices like video cameras, home surveillance and home security devices that use SSL or any other service that relies on OpenSSL. Most corporate devices vendors will quickly provide a patch or a method to patch their appliances, so look out for the patches and patch immediately.

IOTs devices are much harder to patch, as most vendors wouldn’t be able to provide a patch. Even if they are able to provide a patch, most users of these devices would not have the know how or the skillset required to patch these devices. So like heartbleed, you can expect to see vulnerable systems on the internet for year(s).

Does it affect BluSapphire systems?

At BluSapphire we have tested the update in our lab. Post testing we have applied the patches in production. The hosted systems have been updated. We have also pushed out the updates to all our customer appliances globally. Customers using BluSapphire on Air-Gapped networks can contact BluSapphire Support Team and schedule a patch update on their systems. Support for Security Patch(es) is always free and does not count against your support hours.