​Another day, another OpenSSL patch

The good news is that this OpenSSL security breach does not affect shipping Linux or Unix operating systems.

The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.

Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.

In this OpenSSL bug, when OpenSSL (starting from version 1.0.1n and 1.0.2b) starts to verify a certificate, if its first attempt to build a secure certificate chain fails, it will attempt to find an alternative certificate chain. So far, so good.

But, an error in how this logic implements skipped some security checks on new, untrusted certificates. For example, it didn't check the Certificate Authority (CA) flag. This enables a hacker to to use a valid leaf certificate to act as a CA and "issue" a bogus certificate. This, in turn, enables such hacks as a corrupted site being able to pretend it's another, legitimate site.

Hackers can do this because the bug facilitates man-in-the-middle attacks.

This problem affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Therefore, OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d and OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.

The security hole, (CVE-2015-1793), was discovered by Google BoringSSL developers. This is Google's own open-source Secure-Socket Layer (SSL) program. It's not meant to replace OpenSSL as an open-source project because its application programming interface (API) and application binary interface (ABI) aren't stable enough for a universally used security program.

Related Stories: