OpenSSL patched two vulnerabilities of which one was rated ‘high severity’.
“The more urgent of the two patches addresses a flaw introduced in OpenSSL 1.0.2 providing support for generating X9.42 style Diffie-Hellman parameters. Previously, these parameters were generated using only “safe” prime numbers, but OpenSSL said today in its advisory that primes used in X9.42 parameter files may not be safe”, explained Threatpost.
The post also said that the other vulnerability which is less severe allows an attacker to pull of a client-side hack by negotiating weaker SSLv2 ciphers.
“OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default,” said the advisory from OpenSSL. “If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack.”
“The project team also said the upgraded crypto strength for the Logjam mitigation now allows for the rejection of handshakes with Diffie Hellman parameters shorter than 768 bits”.
“This limit has been increased to 1024 bits in this release, to offer stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange,” OpenSSL said.
If you are concerned about threats entering your network from the Internet, Omega PreEmpt can help. It uses predictive intelligence to discover unknown threats. It is a cloud-delivered Web Security and network filtering service that will protect every device on and off the network.
It not only blocks malware, botnets and phishing over any port, protocol or app, but also detects and contains any advanced attacks before they can cause damage. It uses big-data analytics and machine learning to automate protection against both known and unknown threats. Omega PreEmpt™ stays up-to-date with no software to install, no hardware to maintain, and no admin needed to intervene.
Call Omega if you’d like to understand more about this solution. 636-557-7777 or email Security@OmegaSecure.com.