Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSL bulletin

Published: 2007-10-13
Last Updated: 2007-10-13 23:54:08 UTC
by Jim Clausing (Version: 2)
0 comment(s)

The OpenSSL folks have just issued an advisory affecting  DTLS in OpenSSL 0.9.8 prior to 0.9.8f and SSL_get_shared_ciphers() in both 0.9.8 prior to 0.9.8f and 0.9.7 prior to 0.9.7m.  DTLS is a UDP version of TLS described in RFC 4347.

Recommendations: If you are running 0.9.8 can't upgrade to 0.9.8f immediately, you should disable DTLS.  If you are running 0.9.7 and can't upgrade to 0.9.7m, don't use the SSL_get_shared_ciphers() routine.

Advisory: http://www.openssl.org/news/secadv_20071012.txt

CVE entries: CVE-2007-4995, CVE-2007-5135

Update:  Our good friend Raul Siles wrote in to remind us that DTLS is critical to secure VOIP deployments, so people running VoIP DTLS-based environments must evaluate if their products are based on the OpenSSL implementation and ask the vendor for fixes.  For more info on securing VOIP, check out the new SANS course, SEC 540

 

Keywords:
0 comment(s)
Diary Archives