The mysterious security vulnerability in the widely used OpenSSL code library is neither HeartBleed nor FREAK, but it’s critical enough to be patched by sysadmins without any delay.
OpenSSL Foundation released the promised patch against a high severity vulnerability in OpenSSL versions 1.0.1n and 1.0.2b, resolving a certificate forgery issue in the implementations of the crypto protocol.
The critical vulnerability could allow man-in-the-middle attackers to impersonate cryptographically protected websites, virtual private networks, or e-mail servers, and snoop on encrypted Internet traffic.
The vulnerability, (CVE-2015-1793), is due to a problem lies in the certificate verification process. An error in its implementation skipped some security checks on new, untrusted certificates.
By exploiting this vulnerability, an attacker could circumvent certificate warnings that enable them to force applications into treating an invalid certificate as a legitimate Certificate Authority.
"An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed," an advisory by OpenSSL explains, "such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate."
This problem impacts any end-user application that verifies certificates including Transport Layer Security (TLS) or Secure Sockets Layer (SSL) or DTLS clients and SSL/TLS/DTLS servers using client authentication.
This security issue was discovered by Adam Langley and David Benjamin of Google BoringSSL, Google's own version of the OpenSSL toolkit. The developers reported the flaw to OpenSSL on 24 June and then submitted a fix to address the issue.
The security flaw affects OpenSSL versions 1.0.1n, 1.0.2b, 1.0.2c, and 1.0.1o. So we recommend users of OpenSSL version 1.0.2b/1.0.2c to upgrade their system to version 1.0.2d and users of OpenSSL version 1.0.1n/1.0.1o to upgrade to version 1.0.1p.