This 11-Byte TLS Request Could Freeze Your OpenSSL Server's Memory

ยท
Listen to this article~4 min
This 11-Byte TLS Request Could Freeze Your OpenSSL Server's Memory

A tiny 11-byte TLS request can lock up 131 KB of server memory until reboot. OpenSSL shipped the fix quietly with no CVE or advisory. Learn how to protect your systems.

Imagine sending a tiny 11-byte message and causing a server to lock up 131 KB of memory that never gets freed until the machine reboots. That's exactly what the HollowByte vulnerability does to unpatched OpenSSL servers. And here's the kicker: the fix was quietly shipped in June with no CVE, no advisory, and no changelog entry pointing at it. ### What Is the HollowByte Flaw? HollowByte is a denial-of-service bug in OpenSSL that exploits how the software handles TLS handshake requests. A malicious actor sends a specially crafted 11-byte TLS request, and the server dutifully sets aside up to 131 KB of memory waiting for a follow-up message that never comes. On systems using glibc, that memory is gone until the process restarts. It's like reserving a table for 20 at a crowded restaurant and never showing up - except the restaurant can't give that table to anyone else until it closes for the night. ### Who Discovered It and Why It Matters Okta's Red Team found the bug and named it HollowByte. They reported it to OpenSSL, which rolled out a fix in June. But here's where it gets interesting: OpenSSL didn't assign a CVE, didn't publish an advisory, and didn't mention it in the changelog. That means most system administrators probably have no idea this vulnerability exists or that they need to update. ### How Bad Could This Get? On paper, it sounds small - just 131 KB per request. But consider this: - Attackers can send thousands of these tiny requests in seconds - Each one locks up memory until the server restarts - On shared hosting environments, one compromised site could take down others - Memory exhaustion leads to crashes, data loss, and downtime A determined attacker could freeze an entire server by flooding it with 11-byte requests. No fancy exploits, no malware - just a few bytes sent at the right time. ### Who Should Care About This? If you run any of these, you need to patch now: - Web servers using OpenSSL - Email servers using TLS - VPN gateways - Any application that handles encrypted connections - Cloud infrastructure providers ### What to Do Right Now First, check your OpenSSL version. If it's older than the June 2024 release, you're vulnerable. Update immediately. Don't wait for a CVE announcement - it's not coming. The fix is already in the code, but you have to apply it yourself. Second, monitor your server memory usage. If you see unexplained spikes in memory allocation, especially during TLS handshakes, this could be the cause. Third, consider using antidetect browsers for sensitive operations. These tools can help mask your digital footprint and protect against similar low-level attacks that target your system's memory or network stack. ### The Bigger Picture The HollowByte flaw highlights a growing problem in cybersecurity: silent patches. When vendors fix critical vulnerabilities without proper disclosure, they leave users in the dark. You can't defend against what you don't know exists. This is why staying updated matters even when there's no flashy announcement. ### Final Thoughts An 11-byte request shouldn't be able to bring down a server. But it can, and it will if you don't patch. The HollowByte bug is a reminder that the smallest things can cause the biggest problems. Update your OpenSSL, monitor your systems, and stay vigilant. Your server's memory - and your users' trust - depend on it.