OpenSSL released a series of patches against fourteen vulnerabilities earlier this week, including eight flaws found by 360GearTeam. Among these flaws, the highest severity lies in the OCSP Status Request extension. This flaw could allow malicious client to exhaust the server’s memory.
OpenSSL OCSP Status Request extension unbounded memory growth
This vulnerability, CVE-2016-6304, is found in the OCSP (Online Certificate Status Protocol) Status Request extension of OpenSSL. When a HTTP connection is built, clients can obtain the revocation status of a digital certification. Whenever a renegotiation request is sent out, an unbounded memory allocation of the OCSP ids occurs on a server with the default configuration. And this OCSP id can consume up to 65,535 bytes of memory. Therefore, attackers can trigger a Denial of Service (DoS) attack through memory exhaustion by continually sending renegotiation requests to the server.
If servers are using default configuration, they are exposed to this vulnerability even if they do not support OCSP. Affected OpenSSL versions include OpenSSL 0.9.8h through 0.9.8v, OpenSSL 1.0.1 through 1.0.1t, OpenSSL 1.0.2 through 1.0.1h, and OpenSSL 1.1.0. Builds adopting the “no-ocsp” option will be not affected.
Some software vendors have already provided countermeasures. Users can get the fix update from the URLs below:
Despite that the impact of the other vulnerabilities is lower than the above mentioned, 360 Total Security still highly recommends business and individual clients to adopt the latest OpenSSL update to stay safe from potential attacks.