Techly NewsGet the app

Get the latest tech news

OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011


, a bug has existed in OpenSSL that means innocuous code like: require('tls').connect({port: 443, NPNProtocols: new Uint8Array()}, function(c) {}) or (equivalently, in Python): import ssl, socket assert ssl.HAS_NPN ctx = ssl.create_default_context() ctx.set_npn_protocols([]) ctx.load_verify_locations('root.crt') sock = socket.create_connection(('127.0.0.1', 443)) sock = ctx.wrap_socket(sock, server_hostname='localhost') sock.write('hello') Silently sends up to 255 bytes of the client’s heap to the server. The server must support NPN, and the heap data is encrypted in transit.

You should review your historic usage of SSL_select_next_proto and if you could have ever triggered this bug, I would suggest rolling any secrets available to affected programs. Though valgrind immediately points it out once triggered, and a really basic static pointer bounds analysis should also find it (though likely with a huge false-positive rate in other code.) If SSL_select_next_proto is used straightforwardly in a server’s ALPN callback, there is no impact because other code in openssl validates the client’s extension as being non-empty.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of bytes

bytes

Photo of OpenSSL bug

OpenSSL bug

Photo of server heap

server heap

Related news:

News photo

Embracer-owned Gothic, Risen and ELEX developer Piranha Bytes closes

News photo

My favorite 1980's Canadian TV show: Bits and Bytes

News photo

`Bytes`: The Lesser-Known Python Built-In Sequence

« Siddhi Capital grabs $135M for Fund II to invest in consumer packaged goods startups
Perplexity details plan to share ad revenue with outlets cited by its AI chatbot »