Security Advisor
New OpenSSL Encryption Flaw Found, Fix Now Available
The vulnerability has been discovered out of the wake of the Heartbleed bug disclosure.
The OpenSSL Foundation released an advisory today that urges those that use the online encryption protocol OpenSSL to update their client due to a critical flaw that was recently discovered.
According to the group, the flaw, which was discovered by Japanese researcher Masashi Kikuch, could allow an attacker to acquire and decrypt encrypted traffic traveling between a targeted PC and a server.
"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers," read the advisory. "This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server."
Today's disclosure and fix marks the second major issue with the Linux-based open source standard, used in more than half the active sites on the Internet, since the April discovery of the Heartbleed bug. However, unlike the previous vulnerability that could allow for unauthorized access and decryption of private online data from any point, today's vulnerability would be much harder to exploit due to having to be physically located somewhere between the PC sending data and the server receiving the encrypted data.
Another factor that limits the attack radius is that both ends of the connection (PC and server) must be running OpenSSL. While a majority of online servers do implement the open source encryption technology, most Web browsers don't.
"In most of our typical communication (browser Web server) we do not have two machines running OpenSSL, because the browser uses a different SSL library," said Wolfgang Kandek, CTO of security firm Qualys, Inc., in an e-mailed statement. "So while there are certainly situations where OpenSSL talks to OpenSSL, for example in command line tools, server to server communication and also in Android browsers (Chrome and native), which use OpenSSL, the conditions necessary for exploitation are quite a bit harder to find."
The discovery of the flaw, which affects those running OpenSSL versions 0.9.8, 1.0.0 and 1.0.1, could have stayed hidden if it wasn't for Heartbleed's widespread exposure months ago. According to discoverer Kikuch, the flaw has been around since the technology was available in 1998. However, by investigating Heartbleed further, and searching for any related vulnerabilities, the latest OpenSSL flaw was found, Kikuch discussed in a blog post detailing the vulnerability.
While today's flaw doesn't provide as gaping of a hole for attackers to exploit as Heartbleed, its total alleviation will be just as hard to pull off due to the overwhelming number of online servers that use OpenSSL. As for what end users can do to stay protected, avoid using any Web browser that implements the open source encryption tool.