← All stories
● Covered by 1 source Β· 1 reportHigh impact

HollowByte DDoS vulnerability affects OpenSSL servers with 11-byte payload

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

The HollowByte vulnerability enables unauthenticated attackers to cause denial-of-service on OpenSSL servers by sending an 11-byte payload. OpenSSL has addressed the issue without issuing an identifier, necessitating organizations to upgrade to fixed versions immediately due to its widespread integration in critical software.

Key points

Overview of HollowByte Vulnerability

The HollowByte vulnerability is a denial-of-service (DoS) flaw that impacts OpenSSL servers. It allows attackers to disrupt service with a malicious payload as small as 11 bytes.

The vulnerability works during the TLS handshake, where a 4-byte header is used to indicate the size of incoming messages.

Technical Details of the Exploit

In vulnerable OpenSSL versions, the server allocates memory based on the declared length in the handshake header before validating the payload. An attacker can exploit this by opening a TLS connection and sending a small payload claiming a much larger message follows. This causes server memory allocation issues.

Repeating this process can lead to significant memory fragmentation, bloating the server's Resident Set Size (RSS) without proper memory deallocation, as the GNU C Library handles freed memory differently.

Impact on OpenSSL and Common Software

The OpenSSL library is integral to many popular projects including NGINX, Apache, and various programming languages and databases. Thus, the HollowByte vulnerability poses a serious risk as it can affect a wide range of systems that rely on OpenSSL.

Organizations are advised to upgrade to patched versions of OpenSSL to mitigate the risk of this vulnerability.

Mitigation and Recommendations

The OpenSSL team has fixed the vulnerability and backported patches to older versions. It is critical for affected organizations to prioritize these updates.

Monitoring server memory usage and reviewing connection handling practices can help in managing the impact of such vulnerabilities.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The HollowByte vulnerability enables unauthenticated attackers to cause denial-of-service on OpenSSL servers by sending an 11-byte payload. OpenSSL has addressed the issue without issuing an identifier, necessitating organizations to upgrade to fixed versions immediately due to its widespread integration in critical software.