OpenSSL high severity vulnerabilities
The OpenSSL team has revealed the previously announced security vulnerabilities: 2 security issues with severity “high” have been disclosed.
The first bug is a out-of-bounds memory write, potentially allowing a malicious certificate to write data in memory areas used by other applications.
If an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger an out-of-bounds write.
This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations.
Applications that parse and re-encode X509 certificates are known to be vulnerable.
The second vulnerability could allow a man-in-the-middle (MITM) decryption of traffic. If you have access in between the server performing TLS encryption and the client connecting to it, this would allow you to decrypt that traffic.
A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.
For both fixes, an openssl update has been released. All packages are available on Linux distributions, so it’s time to update and restart all depending services (or, when in doubt, restart the entire server).
ImageMagick: Remote Code Execution
The second vulnerability this week comes from the ImageMagick application, used widely in web applications for processing images, generating thumbnails, resizing, rotating, … images. ImageMagick is used in both PHP and Ruby applications worldwide.
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick.
If an attacker can upload an image to your webserver (think forum or blog avatars, webshop product photos, blog uploads, …), ImageMagick would parse it and could trigger a remote code execution, offering the attacker a shell or backdoor on your server.
The quickest fix here is to apply an ImageMagick policy file, that prevents the exploitable image formats from being used. Place this in the file
<policymap> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <olicy domain="coder" rights="none" pattern="MSL" /> </policymap>
Update packages for ImageMagick will surely follow soon.