Severe OpenSSL bug that allows certificate forgery has been plugged

The wait is over: the OpenSSL Project has issued security updates for the popular open-source implementation of the SSL and TLS protocols, and has shared some details about the high severity vulnerability they fixed.

“During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate,” they explained in the security advisory accompanying the updates.

Effectively, it allows attackers – or anyone else, really – to pose as a valid CA and issue a certificate that will pass muster. The bug is significant, as it can lead to successful Man-in-the-Middle attacks, but obviously has limited impact, as it affects only OpenSSL versions released in June 2015 and later, and only applications that verify certificates.

Most browsers will not be affected, and apparently most Linux distributions are not as well, as they did not update OpenSSL since June.

The life of this particular bug has been very short, as it was spotted in late June and reported to the OpenSSL Project by Google/ BoringSSL developers Adam Langley and David Benjamin. The fix was developed by the BoringSSL project.

“The issue at the core of today’s disclosure is that OpenSSL can fail to correctly validate that a certificate presented is issued by a trusted Certificate Authority. In effect, the Certificate Authority mechanism for validating that endpoint services are “who they say they are” can be bypassed with this vulnerability; cryptographic procedures that protect the secrets passed between clients and servers are unaffected. So, while the encryption is unaffected, users cannot be sure who they are sharing secrets with without the provided patch,” explains Tod Beardsley, research manager at Rapid7.

“This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim. This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways. The vulnerability is not useful for passive attacks, or widespread, untargeted attacks,” he noted.

“So far, it appears that only OpenSSL 1.0.1 and 1.0.2 are affected. OpenSSL 0.9.8 is not affected, nor is LibreSSL. It does not appear that any other SSL/TLS library is affected, though work is ongoing to validate this.”

Don't miss