OpenSSL have just published 2 HIGH security advisories — previously pre-announced as a single CRITICAL advisory
The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts
As an interesting aside, this is the second big announce from OpenSSL – back in 2014, then announced Heartbleed. This protocol level vulnerability remains un-patched on a significant number of internet-accessible systems
NCSC-NL and other partners are building a list of software that is known to be vulnerable (or not) to this latest OpenSSL Vulnerability. This is NOT an exhaustive l list, but hopefully a useful reference!
For more information, check out these links!
This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here https://www.linkedin.com/pulse/unexpectations-andrew-barnes/