The HollowByte vulnerability enables unauthenticated attackers to cause denial-of-service on OpenSSL servers by sending an 11-byte payload. OpenSSL has addressed the issue without issuing an identifier, necessitating organizations to upgrade to fixed versions immediately due to its widespread integration in critical software.
The HollowByte vulnerability is a denial-of-service (DoS) flaw that impacts OpenSSL servers. It allows attackers to disrupt service with a malicious payload as small as 11 bytes.
The vulnerability works during the TLS handshake, where a 4-byte header is used to indicate the size of incoming messages.
In vulnerable OpenSSL versions, the server allocates memory based on the declared length in the handshake header before validating the payload. An attacker can exploit this by opening a TLS connection and sending a small payload claiming a much larger message follows. This causes server memory allocation issues.
Repeating this process can lead to significant memory fragmentation, bloating the server's Resident Set Size (RSS) without proper memory deallocation, as the GNU C Library handles freed memory differently.
The OpenSSL library is integral to many popular projects including NGINX, Apache, and various programming languages and databases. Thus, the HollowByte vulnerability poses a serious risk as it can affect a wide range of systems that rely on OpenSSL.
Organizations are advised to upgrade to patched versions of OpenSSL to mitigate the risk of this vulnerability.
The OpenSSL team has fixed the vulnerability and backported patches to older versions. It is critical for affected organizations to prioritize these updates.
Monitoring server memory usage and reviewing connection handling practices can help in managing the impact of such vulnerabilities.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The HollowByte vulnerability enables unauthenticated attackers to cause denial-of-service on OpenSSL servers by sending an 11-byte payload. OpenSSL has addressed the issue without issuing an identifier, necessitating organizations to upgrade to fixed versions immediately due to its widespread integration in critical software.