OpenSSL SSL Death Alert (CVE-2016-8610)

Posted Under: Linux, OpenSSL, Penetration Testing, Security, Tutorials, Windows on Dec 16, 2016
OpenSSL SSL Death Alert (CVE-2016-8610)
OpenSSL's SSL Death Alert is a denial of service (DoS) attack. This happens because of the way how OpenSSL handles ALERT packets during an SSL/TLS handshake.

A malicious user send a immense number of plain text ALERT packets of type "SSL3_AL_WARNING" at the time of handshake. This programming bug cause the OpenSSL to ignore the undefined warning alert and continue processing the remaining data. This implies that the malicious user can send multiple alert packets packaged in one request so that OpenSSL remain busy handling meaningless request and become unavailable to legitimate users. There is no leakage of data or keys by this attack. This bug is encryption algorithm independent. This bug has a CVE-ID : CVE-2016-8610, search google to find more information, updates and platform specific issues.

All OpenSSL enabled server and services are affected by this vulnerability. Below is the list of affected OpenSSL version
  • OpenSSL All 0.9.8
  • OpenSSL All 1.0.1
  • OpenSSL 1.0.2 through 1.0.2h
  • OpenSSL 1.1.0
un-affected versions
  • OpenSSL 1.0.2i, 1.0.2j
  • OpenSSL 1.1.0a, 1.1.0b
In order to prevent yourself for this attack it is highly recommended to immediately update your version of OpenSSL.