Pesky C and Memory … OpenSSL on the Naughty Step, Again!

Eight CVEs!

OpenSSL provides a foundation part of cybersecurity on the Internet. But, can be buggy. In fact, it caused the HeartBleed bug, which nearly caused large parts of the Internet to be untrustworthy. Basically, though, it is the Swiss Army Knife of cybersecurity and is often the “go-to” place for testing cryptography outputs.

Now, seven memory bugs have been found and which can cause data leakages and Denial of Service (DoS) vulnerabilities. The patches are:

• OpenSSL 3.0 to 3.0.8.
• OpenSSL 1.1.1 to 1.1.1t.
• OpenSSL 1.0.2 to 1.0.2zg.

Basically, it is all to do with malloc() in C, and where memory is reserved for data. Overall, C does implement garbage collection for memory which isn’t used anymore. Thus a function might store a password in memory, and then when the function completes, it can leave the password in plain sight in memory. To overcome this, we should use the free() method, and which cleans up the data space that we are not using.

The memory-related bugs which has a high risk is CVE-2023–0286, and moderate risks are CVE-2023–0215, CVE-2022–4450, CVE-2022–4203, CVE-2023–0216, CVE-2023–0217 and CVE-2023–0401.