A critical new vulnerability in OpenSSL could allow attackers to intercept secure communications by tricking a targeted computer into accepting a bogus digital certificate as valid. This could facilitate man-in-the-middle (MITM) attacks, where attackers could listen in on connections with secure services such as banks or email services.
OpenSSL is one of the most widely used implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols. The open-source software is used widely on internet-facing devices, including two thirds of all web servers.
The new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) was patched today in a security update issued by the OpenSSL project. The vulnerability relates to OpenSSL’s certificate verification process. SSL certificates are issued in chains, moving from the root certificate authority (CA) through a number of intermediate CAs down to the end user certificate, known as the leaf certificate. If a connecting device cannot establish if a certificate has been issued by a trusted CA, it will move another step up the chain until it finds a trusted CA. If it doesn’t, it will return an error message and a secure connection will be denied.
If the first attempt to build a chain of certificates fails, OpenSSL will attempt to find an alternative chain. The vulnerability results from an error in the implementation of this process, which could allow an attacker to bypass checks on untrusted CAs. This could allow an attacker to use a valid leaf certificate to act as a CA and issue invalid certificates, which will be accepted as trusted by the target.
Chain validation is typically performed by SSL and TLS client software, such as web browsers and email servers. Some web servers are configured to authenticate site visitors by authenticating the client’s certificate. Those web servers are vulnerable to this flaw if they use an affected version of OpenSSL for certificate chain verification. Web servers that do not authenticate site visitors, or that do authenticate site visitors using passwords or other means, are not vulnerable, even if they use an affected version of OpenSSL.
This vulnerability affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p.
This is the latest in a series of serious issues affecting SSL/TLS over the past year and a half. The most high-profile bug was Heartbleed, or the OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160), and it even came with its own logo. Discovered in April 2014, Heartbleed enabled attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys by exploiting a weakness in the Heartbeat component of the software.
Heartbleed was followed by the discovery of the POODLE vulnerability in October 2014. Officially known as the SSL Man In The Middle Information Disclosure Vulnerability (CVE-2014-3566), POODLE affected the older and recently deprecated version of SSL (3.0), which was introduced in 1996, and has since been superseded by several newer versions of its successor protocol, TLS. Nevertheless, POODLE was still exploitable since nearly every web browser and a large number of web servers continued to support SSL 3.0. Attackers could potentially force a secure connection to downgrade to the SSL 3.0 protocol before exploiting the POODLE vulnerability.
In early March of this year a vulnerability known as FREAK was disclosed. Affecting SSL/TLS, a successful exploit could allow attackers to intercept and decrypt communications between affected clients and servers. Formally known as the OpenSSL Man in the Middle Security Bypass Vulnerability (CVE-2015-0204), Freak enabled MITM attacks against secure connections by forcing them to use export-grade encryption, a much weaker form of encryption that is easily crackable. Export-grade encryption is not usually used today.
Hot on the heels of FREAK, the OpenSSL Denial of Service Vulnerability (CVE-2015-0291) was patched later in March 2015. The vulnerability could potentially be exploited by attackers in a denial-of-service (DoS) attack against affected unpatched servers.
Finally in May of this year, the SSL/TLS Logjam Man in the Middle Security Bypass Vulnerability (CVE-2015-4000) was discovered and patched. If left unpatched, Logjam could allow attackers to exploit a weakness in the session key exchange mechanism that takes place at the start of secure communications, since many implementations used shared and often static (512-bit) prime numbers to protect session keys during the key exchange process. This makes it much easier to expose session keys used to encrypt data during SSL/TLS sessions.
- This is a vulnerability in OpenSSL and not a flaw with SSL/TLS, nor certificates issued by Symantec.
- Anyone using OpenSSL 1.0.1 through 1.0.2 should update to the latest version of the software as soon as possible. Users of OpenSSL versions 1.0.0 and 0.9.8 are not affected by this issue.
- Be aware that many other software packages use OpenSSL and any that do will need to be updated once the vendor incorporates the patched version of OpenSSL into their product.