On the 24th of June 2015, Adam Langley and David Benjamin (Google/BoringSSL) reported a vulnerability that allows attackers to cause specific checks on untrusted certificates to be bypassed. By bypassing checking of the CA (certificate authority) flag, attackers could use a valid leaf certificate to act as a CA and clients would “validate” an invalid certificate.
Today the OpenSSL project released advisories to install a patch that remediates these problems with the OpenSSL certificate verification process (affecting versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o). The flaw exists within the verification process, because if the first attempt to build a chain failed then OpenSSL would attempt to find an alternative certificate chain.
OpenSSL have advised that: “This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”
Detection
To detect which version of OpenSSL you have running, use the following command:
$ openssl version -a
Remediation
The “BoringSSL” project developed patch was published today. 7 Elements advise upgrading as soon as possible:
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
Additionally, 7 Elements reminds that support for OpenSSL versions 1.0.0 and 0.9.8 will end at the end of this year.
The use of unsupported software is discouraged and usually symptomatic of a weak stance on solid Information Security practices. Industry recommendations dictate that regular patching policies are key in protecting infrastructure assets within organisations.
If you would like support in completing any assurance activity then please get in touch using:
contact-us@7elements.co.uk.
References:
https://www.openssl.org/news/vulnerabilities.html
https://www.openssl.org/news/secadv_20150709.txt
http://cxsecurity.com/issue/WLB-2015070040
https://grahamcluley.com/2015/07/openssl-vulnerability-revealed/