News

Widely Used Encryption Software Broken With Fuzzing Cloud

Codenomicon Fuzz-o-Matic finds a Critical Flaw in OpenSSL

OULU, FINLAND, May 11, 2012 -- Codenomicon Ltd, a leading vendor of automated robustness and fuzz testing solutions for managing your unknown vulnerability exposure announced today that it has helped identify, and fix a critical flaw in the widely-used OpenSSL encryption software. A flaw in the OpenSSL handling of CBC mode cipher suites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both client and server software. The flaw was found with Codenomicon's new cloud-based testing platform called Fuzz-o-Matic. Fuzz-o-Matic validates that your implementation is rugged and ready to be deployed in live, potentially hostile networks. The OpenSSL team was able to fix the problem by using the detailed defect report provided by Fuzz-o-Matic.

TLS security protocol is the current Internet standard for encrypting and authenticating application traffic. TLS is used by millions of people every day in online banking, e-commerce, email, and Voice-over-IP applications. OpenSSL is an open-source implementation of TLS and it is used in standard operating systems, web browsers, email clients, and network devices ranging from WiFi access points and DSL modems to industrial-strength core routers.

"Cloud-based security testing is the future for outsourced penetration testing. This clearly demonstrates why Fuzz-o-Matic has been so successful. A major obstacle I have seen during my career is the ability to fuzz software effectively. The skill set required to develop and operate a fuzzer is complicated and time consuming. In order to fuzz effectively you need access to top notch fuzzers. Fuzz-o-Matic solves all of these problems by providing the industries best fuzz testing solution at a very affordable price point and without any investment needed for employee training on fuzzing”, said Antti Häyrynen, lead developer of the Fuzz-o-Matic platform.

The OpenSSL team issued a thank you acknowledgement to Codenomicon for discovering the critical flaw using Codenomicon’s Fuzz-o-Matic fuzzing as a Service Testing Platform. http://www.openssl.org/news/secadv_20120510.txt

> For more information on Fuzz-o-Matic, go to www.codenomicon.com/fuzzomatic/

> For more information on this and more Codenomicon-found vulnerabilities, go to www.codenomicon.com/labs/advisories/

Fuzz-o-Matic is a secure web based fuzz Testing-as-a-Service (TaaS) platform that brings fuzz testing to the masses. Fuzzing your software is now as simple as signing up for an account, uploading your software to fuzz-o-Matic then just sit back and waiting for the results to show up on the Fuzz-o-Matic dashboard. Fuzz-o-Matic features thorough exploitability analysis on found defects, real time notifications on found vulnerabilities, and detailed reports that simplify the process of fixing and remediating the found defects. Fuzz-o-Matic supports testing applications running on Microsoft Windows, Linux, Apple OSX and those running on various mobile devices.

About Codenomicon Ltd

Codenomicon finds security vulnerabilities others can't find. Companies rely on Codenomicon's solutions to discover zero-day vulnerabilities that cause Denial of Service (DoS) and data leakage if exploited by hackers -- the unknown vulnerabilities Advanced Persistent Threats (APTs) use to break into systems. Codenomicon's customers include Alcatel-Lucent, AT&T, Cisco Systems, Microsoft, Motorola, Google, Verizon, Nokia Siemens Networks, Huawei, and T-Systems. Known for its Defensics software for security stress-testing of software/firmware/hardware and its Clarified Situation Awareness Solution for Computer Emergency Response Teams (CERTs), Codenomicon launched Fuzz-o-Matic in January 2012. For more information, go to www.codenomicon.com.