Red Hat warns of hole in OpenSSL
In an advisory, Linux distributor Red Hat has warned that a security vulnerability in OpenSSL can potentially be remotely exploited to break into a server. Affected versions include OpenSSL 0.9.8f to 0.9.8o, 1.0.0 and 1.0.0a. Updating to OpenSSL 0.9.8p or 1.0.0b closes the hole.
The problem is caused by a race condition in the OpenSSL code for parsing TLS extensions. In certain circumstances a heap overflow can potentially be triggered if multiple sessions try to set a host name via a TLS extension. This allows attackers to inject up to 255 bytes of code into the application's heap and to execute it.
However, the OpenSSL developers point out that the flaw only exists on servers which support multi-threading and use OpenSSL's internal caching feature. The Apache web server and solutions such as Stunnel are said not to be vulnerable because they don't support internal caching by default.
When tested on single core processors by the Red Hat developers, the flaw was apparently only exploitable by artificially slowing down the threads. On multi-core processors, the potential for creating a race condition is said to be higher. However, in the cases that have been monitored so far it appears that the race conditions have only crashed server applications.