Feared OpenSSL vulnerability gets patched, forgery issue resolved

The latest flaw is bad, but at least it's no Heartbleed


The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol.

Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory by OpenSSL explains.

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.

An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

This issue was reported to OpenSSL on 24 June by Adam Langley/David Benjamin of Google/BoringSSL. The fix was developed by the BoringSSL project.

OpenSSL developers warned the fix was forthcoming on Monday without providing any details. The upcoming patch sent shivers through the industry, as it came months after the infamous Heartbleed vulnerability which also stemmed from flaws in OpenSSL.

Tod Beardsley, security engineering manager at Rapid7, said that left unresolved the flaw would allow hackers to impersonate Certificate Authorities.

"The issue at the core of today’s disclosure is that OpenSSL can fail to correctly validate that a certificate presented is issued by a trusted Certificate Authority. In effect, the Certificate Authority mechanism for validating that endpoint services are “who they say they are” can be bypassed with this vulnerability; cryptographic procedures that protect the secrets passed between clients and servers are unaffected. So, while the encryption is unaffected, users cannot be sure who they are sharing secrets with without the provided patch. "This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim. This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways. The vulnerability is not useful for passive attacks, or widespread, untargeted attacks," he added.

Initial reaction by experts suggests the latest flaw is bad, but no Heartbleed.

"Facepalm-level bad, but not Heartbleed-level bad, at first glance," said application security expert Chris Eng in an update to his personal Twitter account. ®

Similar topics

Broader topics


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022