The recent discovery of a
potentially
serious Secure Socket Layer (SSL) flaw affecting a popular Linux
distribution should act as a wake up call to the open source community, experts
warn.
John Pescatore, vice president and distinguished analyst at Gartner, called
for open source developers and their vendor counterparts to improve
communications processes to address the flaw that could lead to the exposure of
encrypted data.
The Sans Institute issued a 'yellow alert' on 16 May over the SSL
vulnerability in some Debian distros.
The vulnerability affects encryption key pairs used by the Debian OpenSSL
package and could enable hackers to access encrypted transaction data,
passwords, financial information and other sensitive data.
A
Debian
advisory offers recommendations for patching the software.
"This vulnerability, which was apparently introduced by Debian's developers,
not open source OpenSSL developers, highlights one of the risks of using
software products that incorporate open source modules," said Pescatore.
"In May 2006, the Debian developers chose to make changes to the OpenSSL
package used in Debian to fix what appeared to be a memory leak, rather than
wait for the OpenSSL developer community to investigate and address the issue."
Pescatore claimed that the Debian "fix" resulted in a serious weakness in the
OpenSSL random number generator that made it easy for attackers to discover
encryption keys.
"In general, encryption code should not be modified without a very thorough
process designed to determine the impact of the modifications on the proper
functioning of the code and on Federal Information Processing Standards
compliance status," he said.
Pescatore noted that the OpenSSL developers' mailing list shows that Debian
developers tried to communicate with the OpenSSL development community, but that
the informal communication processes "were clearly inadequate in this instance"
.
"We believe this experience confirms our view that open source process
communications require significant improvements," he said.
"In many other cases, product vendors have made changes to open source
packages without even attempting to contact the 'upstream' developers.
"This approach significantly increases the risk that new vulnerabilities will
be introduced into open source code and the likelihood that upstream fixes for
other vulnerabilities will cause later problems with the vendor-modified
modules.
"Commercial and open source vendors frequently incorporate third-party open
source modules in their code, so enterprises need to be aware of the potential
issues that can result."
Do you agree?
Have your say on this article