OpenSSL bulletin
The OpenSSL folks have just issued an advisory affecting DTLS in OpenSSL 0.9.8 prior to 0.9.8f and SSL_get_shared_ciphers() in both 0.9.8 prior to 0.9.8f and 0.9.7 prior to 0.9.7m. DTLS is a UDP version of TLS described in RFC 4347.
Recommendations: If you are running 0.9.8 can't upgrade to 0.9.8f immediately, you should disable DTLS. If you are running 0.9.7 and can't upgrade to 0.9.7m, don't use the SSL_get_shared_ciphers() routine.
Advisory: http://www.openssl.org/news/secadv_20071012.txt
CVE entries: CVE-2007-4995, CVE-2007-5135
Update: Our good friend Raul Siles wrote in to remind us that DTLS is critical to secure VOIP deployments, so people running VoIP DTLS-based environments must evaluate if their products are based on the OpenSSL implementation and ask the vendor for fixes. For more info on securing VOIP, check out the new SANS course, SEC 540
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
Comments