OpenSSL bug that could allow traffic decryption has been fixed
The OpenSSL Project has pushed out new versions of the widely used OpenSSL cryptographic library, which incorporate patches for two distinct security bugs, and an update of the protection against the infamous Logjam vulnerability.
OpenSSL contains an open source implementation of the SSL and TLS protocols, supports many different cryptographic algorithms, and is incorporated in a considerable number of mainstream software.
One of the patched vulnerabilities (CVE-2016-0701) is severe – but not critical – as it could be used by attackers to obtain keys that would allow them to decrypt communications. It affects only OpenSSL 1.0.2 releases.
“Historically OpenSSL usually only ever generated DH (Diffie-Hellman) parameters based on ‘safe’ primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be ‘safe’,” the OpenSSL team explained.
“Where an application is using DH configured with parameters based on primes that are not ‘safe’ then an attacker could use this fact to find a peer’s private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server’s private DH exponent if it’s reusing the private DH exponent or it’s using a static DH ciphersuite.”
“OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS,” they added. “It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.”
Researcher Antonio Sanso, who discovered the vulnerability and pointed it out to the OpenSSL team, has a much more detailed and technical write up about it, so you might want to check it out.
Apparently, the team already knew about the flaw and had already (partially) fixed it, but the fix wasn’t yet implemented in the release branches of the library.
Users who run OpenSSL 1.0.2 are advised to upgrade to 1.0.2f, and those running OpenSSL 1.0.1 should switch to 1.0.1r.
But, as part of the fix, the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. “This could have some performance impact,” the OpenSSL team warned.