The latest bug in OpenSSL patched on Thursday is nowhere near as bad as Heartbleed and shows the open source community is getting better at spotting and addressing flaws, according to industry experts.
The high-severity flaw, discovered by Google’s BoringSSL team, is an “alternative chains certificate forgery” vulnerability (CVE-2015-1793) which could allow an attacker to bypass security checks and trick OpenSSL into believing a rogue certificate is a valid one, issued by a certificate authority.
“The issue at the core of today’s disclosure is that OpenSSL can fail to correctly validate that a certificate presented is issued by a trusted certificate authority,” Rapid7 security engineering manager, Tod Beardsley, explained.
“In effect, the certificate authority mechanism for validating that endpoint services are ‘who they say they are’ can be bypassed with this vulnerability; cryptographic procedures that protect the secrets passed between clients and servers are unaffected. So, while the encryption is unaffected, users cannot be sure who they are sharing secrets with without the provided patch.”
However, the bug only affects the latest versions of OpenSSL: 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o, according to an advisory.
It also only works for man-in-the-middle attackers and as such will not be useable for “passive attacks, or widespread, untargeted attacks,” Beardsley added.
OpenSSL is not used for certificate validation by the four main browsers: IE, Chrome, Safari and Firefox.
“Other than that, there’s certainly lots of server-type tools that might use OpenSSL for client operations. For them, this vulnerability is potentially significant, but attackers would need to exploit them on a case-by-case basis,” argued Qualys director of security engineering, Ivan Ristic.
“This is nowhere near Heartbleed. A certificate validation flaw in a TLS library largely affects only clients. Servers need certificate validation only when mutual authentication is enabled, which is a minor use case.”
OpenSSL has certainly taken a pounding over recent months and years with major flaws including Heartbleed and FREAK discovered.
However, things are getting better, according to Steve Donald, CTO of Hexis Cyber Solutions.
“Unlike Heartbleed where the underlying vulnerability had been in the code base for 28 months, the lifespan of this particular bug was just a couple of months,” he argued.
“Since open source libraries – especially broad applicability and security libraries like OpenSSL – are pervasive across the broader computer software industry and end up embedded in mainstay products and websites across the globe, it’s good that the open source community continues to police itself and issues responsible notifications and code updates.”