The OpenSSL server has been updated to fix a security bug that could be remotely exploited to potentially install malware on vulnerable systems.

The race condition flaw in the OpenSSL TLS server extension code could be exploited in a buffer overrun attack, maintainers of the open-source SSL and TLS application warned on Tuesday. All versions of OpenSSL that support TLS extensions are vulnerable, including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a. Apache HTTP server and Stunnel are not affected.

Members of the Red Hat Security Response Team, which uses OpenSSL in Red Hat Enterprise Linux, warned the vulnerability could be remotely exploited.

“Under certain specific conditions, it may be possible for a remote attacker to trigger this race condition and cause such an application to crash, or possibly execute arbitrary code with the permissions of the application,” they wrote. ®

Related stories

• Attack on Apache server exposes firewalls, routers and more (6 October 2011)
• Hackers break SSL encryption used by millions of sites (19 September 2011)
• World ostracizes firm that issued bogus Google credential (30 August 2011)
• 'Devastating' Apache bug leaves servers exposed (24 August 2011)
• Timing attack threatens private keys on SSL servers (25 May 2011)
• Eureka! Google breakthrough makes SSL less painful (19 May 2011)
• Exim code-execution bug, now with root access (11 December 2010)
• Microsoft purges Windows of serious SSL vuln (10 August 2010)
• 'Severe' OpenSSL vuln busts public key crypto (4 March 2010)
• Fix finalized for SSL protocol hole (8 January 2010)
• Researcher busts into Twitter via SSL reneg hole (14 November 2009)
• Tech titans meet in secret to plug SSL hole (5 November 2009)
• OpenSSH chink bares encrypted data packets (19 May 2009)
• Crypto hash boffins trip on buffer overflow (24 February 2009)
• After Debian's epic SSL blunder, a world of hurt for security pros (21 May 2008)