The OpenSSL Foundation has released the promised patch for a high severity vulnerability in its cryptographic code library that let attackers obtain the key to decrypt HTTPS-based communications and other Transport layer security (TLS) channels.
OpenSSL is an open-source library that is the most widely used in applications for secure data transfers. Most websites use it to enable Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
However, after serious security vulnerabilities were discovered in OpenSSL over the last few years, the crypto library has been under much investigation by security researchers.
The latest bugs affect OpenSSL versions 1.0.1 and 1.0.2, which has been patched in new releases of OpenSSL, versions 1.0.1r and 1.0.2f.
The team has patched two separate vulnerabilities in OpenSSL. The "high severity" bug, identified as CVE-2016-0701, addresses issues in the implementations of the Diffie-Hellman key exchange algorithm presents only in OpenSSL version 1.0.2.
Re-Use of Encryption Keys
Diffie-Hellman (DH) is a common means of exchanging cryptographic keys over untrusted channels, allowing protocols like HTTPS, SSH, SMTPS, IPsec to negotiate a secret key and create a secure connection.
However, the applications that rely on the DH key exchange algorithm generate ephemeral keys using only "safe" prime numbers, but servers that do this reuse the same primes by default, which makes them vulnerable to the key-recovery attack.
Attackers could exploit this flaw by potentially making multiple connections with a vulnerable server and searching for TLS server's private Diffie-Hellman key if the server was re-using the private key or using a static Diffie-Hellman ciphersuite.
However, OpenSSL has the SSL_OP_SINGLE_DH_USE option for ephemeral Diffie-Hellman in TLS. But the option was turned OFF by default that made the server reuse the same private exponent, making it vulnerable to this type of attack.
Fortunately, many mainstream applications, like The Apache Web server that rely on OpenSSL and use Diffie-Hellman, turns ON SSL_OP_SINGLE_DH_USE, causing different private exponents to be used.
OpenSSL said in an advisory published today that the team has turned ON SSL_OP_SINGLE_DH_USE option by default. You can go to OpenSSL official blog post to know additional details about the flaw.
Force to Use Weaker SSLv2 Ciphers
The "low severity" vulnerability, CVE-2015-3197 that affects versions 1.0.2 and 1.0.1, has also been patched in the latest release, which allows attackers to force SSLv3 connections through the weaker SSLv2 ciphers.
"A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2," the team said.
However, the team said that disabling SSLv2 ciphers on your server will not help and that incoming client can still complete SSL handshakes with the server, thereby establishing a non-secure SSLv2 connection.
Remember Logjam Downgrade Flaw?
The project team said the Thursday's release also contained an enhancement to strengthen cryptography against LogJam, an HTTPS-crippling vulnerability in TLS disclosed last May.
Logjam downgrade vulnerability allowed hackers to downgrade Diffie-Hellman-generated encrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys that can be easily decrypted.
The previous patch had increased the limit of Diffie-Hellman parameters to 768 bits, but OpenSSL has now increased this limit to 1,024 bits.
Upgrade Now!
If you are using OpenSSL version 1.0.2, it's time for you to upgrade to version 1.0.2f. While those still using OpenSSL version 1.0.1 should install version 1.0.1r.
Among other recommendations, Thursday's OpenSSL advisory also warns that the patch may compromise performance, along with reminding users that support for OpenSSL version 1.0.1 will end at the end of this year, after which no security updates will be available.
However, Support for OpenSSL versions 0.9.8 and 1.0.0 already ended in December.