OpenSSL fixes critical vulnerability caused by recent patch
OpenSSL has patched a critical vulnerability that could potentially allow an attacker to execute code remotely. The vulnerability was introduced by a recent patch, according to the OpenSSL team.
OpenSSL announced Monday in a security advisory that the vulnerability only occurs in version 1.1.0a of the software. Therefore, users who have not yet performed the update should immediately update from version 1.1.0 to 1.1.0b. The vulnerability, attribute cve-2016-6309, occurs because the software moves a buffer when a message greater than 16k is received. In the freed space, an attacker could then write with a leftover pointer. This could lead to arbitrary code execution.
The OpenSSL team released a patch last week for a vulnerability that allowed remote code execution. This vulnerability was estimated by the team as a “high” risk variant. In contrast, the vulnerability introduced by the patch has been marked as ‘critical’. This is the most serious category. The team says they released the message without the usual advance notice due to its seriousness. OpenSSL has named Robert Święcki of Google’s security team as the discoverer of the vulnerability.