The anticipated security vulnerability in the widely used OpenSSL code library has been revealed, it’s rather critical and should be patched immediately, but does not contain the same severity as a Heartbleed or FREAK flaw.
Non-profit OpenSSL Foundation released the patch for their software after announcing Monday that a “high” severity vulnerability had been identified and was set to be patched Thursday.
Past OpenSSL versions 1.0.1n and 1.0.2b, are vulnerable to a certificate forgery issue that resides in the implementation of the cryptography protocol.
The critical vulnerability could potentially allow a man-in-the-middle attacker to impersonate an SSL protected website, virtual private network (VPN), email server, or even allow a third-party to spy on your encrypted Internet connection.
OpenSSL’s critical vulnerability, (CVE-2015-1793), resides within the certificate verification process. It has to do with the way it was implemented, skipping a few of the security checks for untrusted certificates.
If exploited properly, an attacker could easily circumvent SSL certificate warnings, forcing applications to take the invalid certificate as a legitimate Certificate Authority.
“An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed,” the latest OpenSSL security advisory read Thursday. “such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate.”
The OpenSSL vulnerability impacts any and all end-user applications that verify certificates including Transport Layer Security (TLS), Secure Socket Layer (SSL) or DTLS clients, and SSL/TLS/DTLS servers utilizing client authentication.
Adam Langley and David Benjamin of Google’s BoringSSL, Google’s homemade version of the OpenSSL toolkit, identified the high-severity vulnerability and reported the flaw to the OpenSSL foundation on June 24th. A little less than a month later, OpenSSL swiftly responded to the flaw, issuing a nearly immediate patch.
The security vulnerability affects OpenSSL versions 1.0.1n, 1.0.2b, 1.0.2c, and 1.0.1o. If running any of the affected OpenSSL packages, we highly urge you to update to the their OpenSSL package versions 1.0.2d and 1.0.1p.