Feared OpenSSL vulnerability gets patched, forgery issue resolved

The latest flaw is bad, but at least it's no Heartbleed

The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol.

Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory by OpenSSL explains.

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.

An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

This issue was reported to OpenSSL on 24 June by Adam Langley/David Benjamin of Google/BoringSSL. The fix was developed by the BoringSSL project.

OpenSSL developers warned the fix was forthcoming on Monday without providing any details. The upcoming patch sent shivers through the industry, as it came months after the infamous Heartbleed vulnerability which also stemmed from flaws in OpenSSL.

Tod Beardsley, security engineering manager at Rapid7, said that left unresolved the flaw would allow hackers to impersonate Certificate Authorities.

"The issue at the core of today’s disclosure is that OpenSSL can fail to correctly validate that a certificate presented is issued by a trusted Certificate Authority. In effect, the Certificate Authority mechanism for validating that endpoint services are “who they say they are” can be bypassed with this vulnerability; cryptographic procedures that protect the secrets passed between clients and servers are unaffected. So, while the encryption is unaffected, users cannot be sure who they are sharing secrets with without the provided patch. "This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim. This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways. The vulnerability is not useful for passive attacks, or widespread, untargeted attacks," he added.

Initial reaction by experts suggests the latest flaw is bad, but no Heartbleed.

"Facepalm-level bad, but not Heartbleed-level bad, at first glance," said application security expert Chris Eng in an update to his personal Twitter account. ®


Biting the hand that feeds IT © 1998–2017