OpenSSL: Attackers can reconstruct private keys on ARM systems
The developers have closed three security gaps in current OpenSSL versions. So far there have been no reports of attacks.
(Image: Artur Szczybylo/Shutterstock.com)
Attackers can attack systems with OpenSSL and, under certain conditions, recover private keys. Malicious code can also get onto PCs. Versions equipped against this are available for download.
The free OpenSSL software can be used to realize encrypted Internet connections based on TLS, among other things.
Several security problems
The developers list the software vulnerabilities in a warning message. The most dangerous is a vulnerability with the identifier CVE-2025-9230 and a threat level of “high.” This can lead to errors when decrypting certain CMS messages, resulting in memory errors (out-of-bounds). This results in crashes (DoS) or can even lead to the execution of malicious code.
The second vulnerability (CVE-2025-9231 “medium”) only affects 64-bit ARM platforms. There, remote attackers can reconstruct private keys with a timing side-channel attack in the context of SM2 signatures.
Videos by heise
The third vulnerability (CVE-2025-9232 “medium”) can lead to DoS states. To prevent the attacks described, admins should install one of the secure versions as soon as possible:
- OpenSSL 1.0.2zm (premium support)
- OpenSSL 1.1.1zd (premium support)
- OpenSSL 3.0.18
- OpenSSL 3.2.6
- OpenSSL 3.3.5
- OpenSSL 3.4.3
- OpenSSL 3.5.4
(des)
