Critical OpenSSL 1.1 security update fixes CVE-2024-13176, a timing side-channel flaw in ECDSA. Learn how to patch SUSE Linux Enterprise 15 SP7 to prevent key extraction attacks. Includes CVSS scores, affected packages, and installation commands.
Why This Update Matters for Enterprise Security
A newly released SUSE security update (SUSE-SU-2025:0613-2) addresses a moderate-risk vulnerability (CVE-2024-13176) in OpenSSL 1.1, impacting multiple enterprise Linux distributions.
This patch prevents a timing side-channel attack in ECDSA signature computation—a critical fix for businesses handling sensitive data.
🔹 Affected Products:
SUSE Linux Enterprise Server 15 SP7
SUSE Linux Enterprise Desktop 15 SP7
SUSE Linux Enterprise Server for SAP Applications 15 SP7
Certifications Module 15-SP7
🔹 CVSS Severity Scores:
6.0 (SUSE CVSS v4.0) – Network-exploitable with high confidentiality impact
5.9 (SUSE CVSS v3.1) – Remote attack vector with data exposure risk
4.1 (NVD CVSS v3.1) – Local privilege escalation risk
Key Security Fixes in This Update
CVE-2024-13176 – Patches a side-channel vulnerability in ECDSA, which could allow attackers to extract private keys via timing analysis.
PBKDF Parameter Validation Fix – Corrects improper approval of weak cryptographic parameters (bsc#1236771).
How to Apply the Patch
To secure your systems, use one of these methods:
✅ Recommended:
zypper in -t patch SUSE-SLE-Module-Certifications-15-SP7-2025-613=1 ✅ Alternative: Apply via YaST online_update or zypper patch.
📌 Affected Packages:
libopenssl1_1-1.1.1w-150600.5.12.2openssl-1_1-debugsource-1.1.1w-150600.5.12.2
Why Immediate Action is Necessary
OpenSSL vulnerabilities are prime targets for cyberattacks—delaying patches increases exposure to data breaches, compliance risks, and financial losses. Enterprises using SUSE Linux for SAP or high-security environments should prioritize this update.
🔗 Further Reading:
Nenhum comentário:
Postar um comentário