OpenSSL Patches: Two New Named Attacks

In addition to the new vulnerabilities identified in January of this year, OpenSSL has once again had to release a slew of patches to correct problematic areas, which could ultimately affect your FIPS validation, Common Criteria evaluation or listing on the DoDIN APL.

There are now at least two named attacks as part of the OpenSSL patches, DROWN, which looks like a Transport Layer Security (TLS) downgrade attack, and CacheBleed, a timing attack requiring access to the system, with specific CPU requirements.

There are several additional vulnerabilities in the OpenSSL announcement, including CVE-2016-0703, which received a high severity rating. This vulnerability builds upon the DROWN attack, and allows for trivial, remote key recovery from vulnerable servers.

In total more than 6 patches have been released over the past 2 months to fix multiple problems, including some severe vulnerabilities.

Get in touch with our Experts to learn how these patches may affect your products and your certification efforts.

You can also learn more about new crypto libraries that can keep your product protected and safe from CMVP’s recent archival program.