Earlier this morning, OpenSSL released a security patch to fix a new vulnerability discovered in OpenSSL versions 1.0.2 and 1.0.1. This patch fixes one high severity vulnerability, which primarily affects clients.
This bug does not affect private keys for DigiCert SSL Certificates, and no action related to certificate management is required.
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.
An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.
The vulnerability potentially allows a man-in-the-middle attack on the client side and could cause some client applications to see invalid and untrusted SSL Certificates as valid certificates. The vulnerability impacts client-side implementations of OpenSSL, which means that users will need to update their browsers in order to implement the patch.
What’s the Impact?
The vulnerability appears to exist only in OpenSSL releases that happened in June 2015 and later. Because of this, the vulnerability only affects a limited set of OpenSSL versions: OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
Red Hat, CentOS, Debian, and Ubuntu have released noticed stating that their distributions are not affected by this vulnerability since they were not utilizing the latest version of OpenSSL.
What Should I Do?
Administrators should update their instances of OpenSSL:
- OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
- OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
Note: The bug does not affect OpenSSL versions 1.0.0 and 0.9.8.
Source code is available for the OpenSSL patches here.
Clients should update their browsers as soon as new versions are released.
Ensuring OpenSSL Remains Secure
The industry continues to focus its efforts on making sure that the cores services security remains strong. As part of this movement, OpenSSL continues to find and patch vulnerabilities in the OpenSSL framework. This process of finding and fixing these vulnerabilities is vital to the long-term security, strength, and longevity of these projects. Hopefully, this process allows the OpenSSL project team to discover and patch these types of issues before attackers can find and exploit them. Although moans and sighs may be heard each time patches must be applied, this type of vigilance must be maintained to help guarantee that the OpenSSL code remains secure.