OpenSSL issues fix for niche but high severity security flaw

A fix for the OpenSSL standard has been released with a severity rating of 'high', although the risk to businesses appears to be minimal. Nevertheless, firms are being advised to apply the patch as soon as possible.

The OpenSSL project team announced the fix in a blog post earlier in the week, explaining that it affects versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

The team has now provided information on the nature of the problem. "During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails," it said.

"An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA [certificate authority] flag, enabling them to use a valid leaf certificate to act as a CA and 'issue' an invalid certificate.

"This issue will impact any application that verifies certificates, including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication."

The fact that the fix is for quite a niche aspect of the OpenSSL system, and does not affect all versions, will be a relief to security workers, who may have feared another Heartbleed-level bug.

The security of OpenSSL has been on the radar for over a year since the infamous Heartbleed security bug was uncovered that affected two-thirds of the world’s web servers.

This also led to a growing awareness that such an important standard was woefully under-supported, both in financial terms and technical prowess. Efforts to improve the support given to the OpenSSL project have been increased.

Steve Donald, the chief technology officer of security firm Hexis Cyber Solutions said that while the bug fix was for a fairly niche issue, it was impressive to see how quickly it had been uncovered and dealt with.

"Unlike Heartbleed where the underlying vulnerability had been in the code base for 28 months, the lifespan of this particular bug was just a couple of months," he said.

"Since open source libraries are pervasive across the broader computer software industry and end up embedded in mainstay products and websites across the globe, it’s good that the open source community continues to police itself and issues responsible notifications and code updates."

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Operating Systems
• Web
• Heartbleed