Security researchers have found a new vulnerability in the OpenSSL infrastructure that could give attackers the leeway to intrude an otherwise secure communications network.
The critical flaw in OpenSSL, in addition to the Heartbleed vulnerability, is designed to lure computers into recognizing a fake digital certificate as legit. Once a sham digital certificate is accepted, hackers could then perform man in the middle attacks against the network, thereby eavesdropping on secure communication lines between private users who would then believe they are indeed exchanging messages in a safe environment.
The OpenSSL finds popular use in implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols. Majority of web servers in the world use the open source software.
The vulnerability spotted had something to do with the OpenSSL’s ability to verify certificates. That means the accuracy of the verification process has been comprised.
Here’s the explanation for it all. A connecting device moves a step higher in the chain of certificate issuances if it fails to confirm that a certificate has been truly warranted by a trusted Certificate Authority. SSL certificates are issued from the root certificate authority up to various intermediate CAs and ultimately through the end user certificate. If it cannot locate a trusted certificate authority, an error message will be returned, thus denying a secure connection.
The OpenSSL will determine another alternative chain upon failure of previous attempts to create certificate chains. Because of an error in implementing the process of finding an alternative chain, a vulnerability comes out. Consequently, attackers will be able to work their way around checks on CAs that are untrusted.
Also, an attacker will be able to use an end user certificate to disguise itself as a CA and, thereby, issue illegitimate certificates that will be considered by the victim computer as a trusted certificate.
SSL and TLS client software often perform the task of validating a chain of certificates. SSL and TLS client software could include browsers and email servers, which are susceptible to the flaw discovered if they use an edition of OpenSSL for verifying certificate chain that has been affected by the vulnerability.
Luckily, web servers are safe from the vulnerability if they are not for authenticating site visitors, or if they authenticate site visitors in other instances, those visitors must be using passwords.
OpenSSL versions affected by this vulnerability include versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Versions 1.0.2b and 1.0.2c users need to upgrade to 1.0.2d, while versions 1.0.1n and 1.0.1o users must upgrade to 1.0.1p.
