OPEN SOURCE SOFTWARE OUTFIT OpenSSL has issued a patch for the ‘high severity’ bug it warned about earlier this week, and has advised that firms apply the patch as soon as possible.
While fears were raised that we could have another Heartbleed on our hands, it’s thought that the bug was not exploited.
Still, OpenSSL was quick to push out of a fix for the issue, and has provided information on the nature of the problem.
“During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails,” it said.
“An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA [certificate authority] flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate.
“This issue will impact any application that verifies certificates, including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”
Commenting on the prompt release of the patch, David Harley, senior research fellow at security firm ESET said: “It’s significant in that it addresses a bug which could have been exploited to bypass checks on untrusted certificates, though I’m not aware of any instance where it was actually exploited.
“It’s worth remembering, perhaps, that it’s not unknown for a TLS certificate to be made available for a site that isn’t what it appears to be. I’m thinking of the recent case where a researcher registered a site with a name that resembled a legitimate bank’s domain name and had no problem buying a certificate for it.
“It’s important to remember that even when traffic is correctly encrypted it doesn’t mean that the traffic is legitimate.”
The OpenSSL project team, a group of developers responsible for supporting the commonly used OpenSSL encryption protocol, announced the forthcoming patch in a mailing list posting by developer Mark J Cox earlier this week.
“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p,” said Cox.
“These releases will be made available on 9 July. They will fix a single security defect classified as ‘high’ severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”