The OpenSSL Project Team announced a high severity bug in their open source implementation of SSL today that could allow the bypassing of checks on untrusted certificates (read: man-in-the-middle attacks). Find out which versions of OpenSSL are impacted, and what you need to patch this critical vulnerability.
The following is an excerpt of the advisory as issued by the OpenSSL Project Team:
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
In essence, the vulnerability could enable a man-in-the-middle attack to occur—since applications would mistakenly view invalid/untrusted SSL certificates as valid.
To fix the bug, you’ll need to update your OpenSSL libraries:
$ yum update openssl
$ apt-get update
$ apt-get install openssl
Any OpenSSL-dependent services should be restarted after applying these updates.
A high severity issue—as defined in OpenSSL’s security policy—affects common configurations which are also likely to be exploitable. Common examples include server denial-of-service (DoS), significant server memory leakage, and remote code execution, among others. OpenSSL’s high severity Heartbleed bug last year was a doozy, potentially allowing for the theft of usernames, passwords, and credit card numbers residing in active memory (check out Rethinking Information Security To Battle POS RAM-Scraping Malware), while also rendering encryption keys open to potential theft—a dire situation that could leave servers vulnerable even after being patched.
History has shown that these bugs more often have far-reaching consequences long after they’ve been announced and—perhaps more alarmingly—go undetected for years. The HeartBleed bug was resident in OpenSSL for 2 years prior to being discovered, and even months after the patch was announced—hardware and software vendors using OpenSSL were still scrambling to identify which products and services of their own were at risk.
Don’t let exposures go unchecked or leave vulnerabilities exposed. UpGuard provides organizations with infrastructure visibility combined with advanced vulnerability assessment and monitoring to ensure that—at a moment’s notice—vulnerable package versions can be located and patched easily across the whole environment.