The bug was reported two weeks ago to the OpenSSL project by Google researcher Adam Langley and BoringSSL’s David Benjamin, and affects only OpenSSL 1.0.1 and 1.0.2.
“It’s a bad bug, but only affects anyone who installed the release from June,” said Rich Salz, a member of the OpenSSL development team. The bug was introduced during that update and affected relatively few organizations. “It’s a bad bug, but the impact is low. We haven’t heard any reports of it being used in production.”
The vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic.
Salz said there are no reports of public exploits.
OpenSSL released on Monday an advanced notification that a patch for a single high-severity vulnerability was on the way and would be patched in versions 1.0.2d and 1.0.1p. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. The vulnerability is not found in the 1.0.0 or 0.9.8 releases, said Mark J. Cox of the OpenSSL development team.
“During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails,” OpenSSL said in today’s advisory. “An error in the implementation of this logic can mean that an attacker could use certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate.
“This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication,” the advisory said.
Salz said that the patch required one line of code. A test case will also be developed for this type of bug, he added.
“Increasing test coverage is important,” Salz said. “There’s a renewed interest to test everything to avoid this type of regression.”
OpenSSL developers are in the midst of a massive cleanup of the codebase. Funding from a number of areas, principally the Core Infrastructure Initiative, has beefed up the project’s resources, allowing them to fund a number of full- and part-time hires who can wade through not only bug fixes, but makeover gnarly, patchwork code, including the TLS state machine and other sources of vulnerabilities such as FREAK, Logjam, POODLE and Heartbleed.
The June OpenSSL update patched Logjam, along with a host of other memory corruption and denial of service issues. That release also fixed an exploitable issue that could allow an attacker to create malformed certificates and CRLs.
This is the second time OpenSSL has issued a pre-notification about a high-severity bug, which is in accordance with its security policy, published last September. Like the first time, the alert set off alarm bells that another Internet-wide bug such as Heartbleed might have been found. Instead, the bug was a denial-of-service condition that affected only version 1.0.2 of the crypto library. A dozen other vulnerabilities (nine ranked moderate, and three low) in older versions were also patched.