The OCSP Status Request extension in OpenSSL has a serious vulnerability that allows attackers to exhaust the server memory.
Exploiting this vulnerability, attackers may configure the victim server to allocate a new OCSP ID memory segment at each protocol renegotiation. Repeating this process can endlessly consume the server memory. Servers with no OCSP configured are also impacted by this vulnerability.
Theory wise, an OCSP ID is up to 64 KB in size. Attackers can initiate continuous negotiation requests so that the server consumes nearly 64 KB of memory every time. In fact, in OpenSSL 1.0.2, the maximum length of a
ClientHello packet can only be 16 KB, so each renegotiation can only consume about 16 KB of server memory. However, in the 1.1.0 version, the length limit of a
ClientHello packet was increased to 128 KB. As a result, servers using the 1.1.0 version consumes nearly 128 KB of memory at each re-negotiation.
- OpenSSL 1.1.0
- OpenSSL 1.0.2 <= 1.0.2h
- OpenSSL 1.0.1 <= 1.0.1t
Upgrade OpenSSL to the latest version:
- OpenSSL 1.1.0 users upgrade to 1.1.0a
- OpenSSL 1.0.2 users upgrade to 1.0.2i
- OpenSSL 1.0.1 users upgrade to 1.0.1u
For more information, see https://www.openssl.org/news/secadv/20160922.txt.