OpenSSL: Yet Another Bug Discovered and Squashed

OpenSSL has been hit by yet another problem, though the severity of this new security vulnerability is nothing compared to that of Heartbleed. Yes, the bug can allow hackers to see private communications between a client and a server, but this is a pretty complex affair. In fact, there are quite a few variables that need to be in place for the bug to pose a threat. If, however, every variable does fall in place, then there definitely is a lot to be concerned about. The good news is that since there are many eyes closely watching and scrutinizing the OpenSSL for possible flaws, the software doesn’t retain its issues for long.

The nature of the threat

Uncovered by security researcher Masashi Kikuchi earlier in May, the security vulnerability referred to as CVE-2014-0224 allows the attacker to decrypt and modify traffic from the compromised client and server. An advisory on the OpenSSL website states, “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”

According to Kikuchi, the bug had been around for 16 years and had so far evaded detection because of insufficient code checks.

Below, you can find interesting way used by 9GAG to explain how the bug works :

Vulnerable targets

As mentioned before, the bug becomes dangerous only when a handful of variables fall in place. The attack can be performed only if both the server as well as the client is running the vulnerable version of OpenSSL, which is either 1.0.1 or 1.0.2-beta1. Even then, the man-in-the-middle attack relies on a compromised device like a router, switch, modems, etc. Unfortunately, there may be more web servers at risk then one may initially think. After the Heartbleed saga, which involved yet another security vulnerability that allowed attackers to read the memory of the systems that were secured by the vulnerable versions of OpenSSL, millions of web servers upgraded to newer version of the software. Doing so meant that a significant percentage of them were using version 1.0.1 or 1.0.2-beta1, thus becoming susceptible to the bug. The problem is, it’s not easy to tell just how many of the applications are using these particular versions of the security package as such information is not normally flaunted. Users of desktop browsers and iOS have nothing to worry about through as it has been confirmed by Google’s security engineer Adam Langley that "IE, Firefox, Chrome on Desktop and iOS, Safari, etc" do not user OpenSSL.

Threat contained

With so many eyes reviewing OpenSSL, the issue wasn’t expected to last for too long. After discovering and bringing the problem to light, Kikuchi helped develop a fix for the bug. Stephan Henson of the software’s core team finalized the fix produced by the security researcher before it was made available for download. Although the fix has primarily been developed for versions 1.0.1 and 1.0.1-beta1, users of earlier versions of OpenSSL software have also been advised to upgrade as a precaution.

The OpenSSL core team has surely been kept busy this year. However, this is expected when dealing with a piece of software that has grabbed the attention of so many security researchers, who are all keen to make whatever contributions they possibly can to improve its security. This is just the sort of effort and collaboration that is required to fend off the threat of hackers, who also seem to be getting sneakier with every passing day. It remains to be seen just for how long the likes of OpenSSL would be able to block the path of those intent on gaining access to private communications of Internet users.