The OpenSSL Project released OpenSSL 1.1.1l on Tuesday, which fixes a high-severity vulnerability that might allow an attacker to change an application’s behaviour or force it to crash.
The bug, which has been assigned the number CVE-2021-3711, is a buffer overflow linked to SM2 decryption.
“A malicious attacker who is able to offer SM2 content for decryption to an application could cause attacker-chosen data to overrun the buffer by up to 62 bytes, thereby changing application behaviour or causing the programme to crash. The buffer’s location is application-dependent, but it’s usually heap allocated,” according to an advisory from the OpenSSL Project.
The changes an attacker could make, according to Matt Caswell of the OpenSSL Project, depend on the targeted programme and the type of data it holds in the heap immediately after the overrun buffer.
“Consider each type of data that an application might store in memory (e.g., financials, credentials, etc.) and consider what might happen if an attacker could change it,” he said.
The security flaw, discovered by John Ouyang, affects OpenSSL versions prior to 1.1.1.
Users of OpenSSL should also be aware of CVE-2021-3712, a medium-severity flaw that can be used to cause denial-of-service (DoS) attacks and perhaps expose private memory contents, such as private keys. With the release of versions 1.1.1j and 1.0.2za, this issue has been resolved.
This year, five more OpenSSL flaws were discovered, including two that were categorised as being of severe severity. Only three weaknesses in OpenSSL were discovered in 2020.
Since the Heartbleed vulnerability was revealed in 2014, the open source TLS library has improved significantly in terms of security, with only a few high-severity problems being discovered in recent years.