OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

Summary

A denial-of-service vulnerability named HollowByte has been discovered in OpenSSL that can freeze server memory with a small, 11-byte TLS request. This flaw causes unpatched servers to allocate significant memory that is not released until the process is restarted, impacting services like those tested by Okta's Red Team. OpenSSL released a fix in June without public advisories or CVE identification.

IFF Assessment

FOE

This vulnerability allows attackers to cause a denial-of-service by consuming significant server memory with minimal effort, making it a threat to service availability.

Severity

7.5 High (AI Estimated)

This CVSS score is estimated based on a denial-of-service vulnerability that requires low attack complexity and can significantly impact the availability of a service by consuming memory. The impact score is high due to the potential for complete service disruption.

Defender Context

Defenders should prioritize patching their OpenSSL installations to mitigate the HollowByte vulnerability, as it can be exploited with minimal effort to cause denial-of-service conditions. This incident highlights the importance of supply chain security and thorough vulnerability analysis, even for seemingly minor code changes.

Read Full Story →