OpenSSL patches “high-severity” vulnerability
10 July 2015 |
Systems operating with OpenSSL should be wary about the recent announcement of a serious bug.
The origin and function of the flaw have not been revealed to the public though the announcement states the defect has been “classified as high severity”.
The defect means that OpenSSL can not ensure that the certificate presented to the user has been confirmed as originated from a legitimate Certificate Authority.
OpenSSL has seen some concern from other security providers following the announcement.
Vice president of security strategy and threat intelligence at Venafi Kevin Bocek said: “With today’s news from OpenSSL, we continue to see organisations leave open doors for attackers by failing to protect the trust provided by digital certificates and cryptographic keys.”
OpenSSL have announced that an update will be released on 9th July that “will fix a single security defect”.
Bocek raised concern over the inability of organisations to monitor rogue certifications under the impersonation of cyberattackers.
“Attackers know that most organisations cannot detect or respond to anomalous certificates that authenticate systems and users on their networks, devices and applications, so they exploit them, which is the fear with this newly uncovered vulnerability,” he said.
Despite the lack of information about the security breach, there is a suggestion that the bug has limited damage potential.
Security engineering manager at Rapid7 Tod Beardsley said: “This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim.
“This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways.”
The statement was released on the OpenSSL website on 6th July 2015. The bug affects OpenSSL version 1.0.2d and 1.0.1p. The announcement states that the defect does not affect the 1.0.0 or 0.9.8 releases.
It is not the first time OpenSSL has faced a serious breach.
The statement comes after the highly publicised Heartbleed leak in its cryptographic software library in 2014.
The Heartbleed bug left encryption keys open to attack. User credentials and data content were open to theft.The vulnerability allowed potential hackers to access encrypted information as it is in transmission.
OpenSSL works with security protocols SSL (Secure Sockets Layer ) and TLS (Transport Layer Security). It was the TLS heartbeat extension that was subject to the Heartbleed bug last year.
Bocek advised that organisations should better manage their certificates and encryption keys, and that knowing where certificates are and if they can be trusted is of crucial importance.
“Until that happens, we’ll continue to see vulnerabilities and full-scale breaches occur with many other organisations,” he said.