The Internet Storm Center (ISC SANS) ranks two of the newly patched flaws as critical. One, identified as CVE-2014-0224, is an SSL man-in-the-middle (MITM) vulnerability that could have a widespread, critical impact. In an MITM attack, the attacker is able to intercept encrypted messages sent between secured endpoints and decrypt the message.
"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS [Secure Sockets Layer/Transfer Layer Security] clients and servers," OpenSSL warns in its advisory. "This can be exploited by a man-in-the-middle attack where the attacker can decrypt and modify traffic from the attacked client and server."
The OpenSSL Project cautions that all client versions of OpenSSL are vulnerable to CVE-2014-0224. The OpenSSL advisory notes that CVE-2014-0224 was reported to the OpenSSL Project May 1.
The other OpenSSL update rated as critical is for the flaw identified as CVE-2014-0195 and is a Datagram Transport Layer Security (DTLS) invalid fragment vulnerability that was reported to the project on April 23.
"A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server," the OpenSSL advisory warns. "This is potentially exploitable to run arbitrary code on a vulnerable client or server."
DTLS is also at the core of the CVE-2014-0221 flaw, which is a DTLS recursion flaw that ISC SANS has rated critical.
"By sending an invalid DTLS handshake to an OpenSSL DTLS client, the code can be made to recurse, eventually crashing in a DoS attack," the OpenSSL advisory states.