Skip to content
Tech News
← Back to articles

HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload

read original more articles
Why This Matters

The HollowByte vulnerability in OpenSSL exposes critical security concerns by enabling attackers to cause denial-of-service conditions through minimal payloads, potentially impacting vast portions of internet infrastructure. Since OpenSSL underpins secure communications across countless services, this flaw underscores the importance of timely patches and vigilant security practices for organizations and consumers alike.

Key Takeaways

A vulnerability dubbed HollowByte allows unauthenticated attackers to trigger a denial-of-service (DoS) condition on OpenSSL servers with a malicious payload of just 11 bytes.

The OpenSSL team has silently fixed the vulnerability (no identifier assigned) and backported the patch to older releases.

Because the OpenSSL software is the foundational backbone for secure internet communication, organizations should prioritize switching to a fixed version of the library.

HollowByte details

In an advisory earlier this week, Okta’s Red Team described how the HollowByte DoS vulnerability works and its impact in a real-world scenario.

The researchers explain that in a TLS handshake, each message has a 4-byte header for declaring the size of the incoming message. However, vulnerable OpenSSL versions allocate the declared length before receiving the payload and checking its size.

Every TLS handshake message begins with a 4-byte handshake header, where a three-byte length field discloses the size of the handshake data that should follow.

Without validating the payload, the server trusts the packet's claims and allocates the indicated memory. "The worker thread then blocks, waiting indefinitely for data that will never arrive," Okta explains.

An unauthenticated attacker can trigger HollowByte by opening a TLS connection and sending an 11-byte malicious input with a header declaring that a much larger message body will follow.

The attacker repeats the same process across multiple connections, causing the server to allocate considerable amounts of memory via a relatively small volume of transmitted data.

... continue reading