Critical OpenSSL Flaw that Allows HTTPS-Traffic to be Decrypted Patched
Developers of the OpenSSL cryptographic code library have patched yet another high-severity vulnerability that made it possible for attackers to decrypt communications secured over HTTPS connections and other TLS channels by obtaining the secret key.
While the OpenSSL vulnerability is critical and could do damage if exploited, a number of variables must first be in place before an attack could be properly executed. The bug only resides in OpenSSL version 1.0.2, making this a specific targeted vulnerability. Applications that rely on this must use groups based on the digital signature algorithm to generate ephemeral keys based on the Diffie-Hellman key exchange. In turn, by default servers that do this continue to reuse the same private Diffie-Hellman exponent for the life of the server process, making them vulnerable to key-recovery attacks. DSA-based Diffie-Hellman configurations that rely on a static Diffie-Hellman ciphersuite are also susceptible to attacks, OpenSSL said.
Fortunately, the specifics don’t appear to be met by a majority of mainstream applications that rely on OpenSSL and use DSA-based Diffie-Hellman.
When specific conditions are met, attackers have the ability to send large volumes of handshake requests to a vulnerable server or user computer. When enough calculations are complete, attackers are able to obtain partial secret values and combine the results with Chinese remainder theorem to eventually derive the decryption key. For an in-depth and technical analysis on the critical OpenSSL vulnerability CVE-2016-0701, check out Antionio Sanso’s blog post, the Adobe Systems researcher who discovered the vulnerability. Among other differences, OpenSSL warned that the latest patch may compromise performance in their advisory published Thursday.
OpenSSL was fast to respond, patching the vulnerability Sanso had responsibly disclosed on January 12. This means OpenSSL developers took just over two weeks to develop a working patch and distribute it. What makes the research even more interesting is when Sanso reported the vulnerability, OpenSSL already had a patch ready, but it was not yet available for public release. This was presumably a large factor in why the patch was able to be released at such a fast pace.
Revisiting Logjam…
Thursday’s patch also came with an additional protection against the HTTPS-crippling vulnerability that threatened tens of thousands of servers when it was first disclosed in May of last year. Dubbed Logjam, it allowed skilled attackers to downgrade Diffie-Hellman-generated encrypted connections to an extremely weak 512-bit connection. From there, attackers had the ability to use pre-computed data prepared ahead of time to devise the key negotiated between the two parties.
Due to the recent release, OpenSSL will not begin to reject all key negotiations with Diffie-Hellman parameters shorter than 1,024 bits. In a previous update OpenSSL had increased the limit to 768 bits.
We and the OpenSSL team heavily urge anyone running OpenSSL version 1.0.2 to upgrade to 1.0.2f immediately. Those still using version 1.0.1 should upgrade to 1.0.1r immediately. OpenSSL’s advisory also reminded users that support for version 1.0.1 will end at the end of this year, after the date no security fixes or improvements will be released.