Friday, 02 October 2015 15:37

Potential New Exploit found in OpenSSL gets around latest hotfix

Written by

Reading time is around minutes.

It seems that someone may have found a way around at least one of the latest hot fixes for OpenSSL. According to some talk around the darker places on the internet, a rehash of metadata can allow a malicious individual to get around the latest hot fix designed to stop someone from bypassing the CA check in OpenSSL. The original flaw was found to exist during certificate validation. When OpenSSL checks the certificate chain it will try to build an alternate route if the first attempt fails. Due to a flaw in the way this is done can allow a “bad guy” to actually force some of the secondary checks to be bypassed and allow an invalid cert to pass.

According to OpenSSL security advisory CVE-2015-1793):

“During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”

This bug was supposed to be fixed in versions 1.0.2d and 1.0.1p of OpenSSL, but now things seem to be back to normal as hackers have found a way to trick the new logic into allowing bad certs to look like good ones. The security team at OpenSSL is back to square one at this point and we are sure that this will be put to use in the very near future. We hope that they are not too far along on version 1.1 to drop in a real fix for this issue.

This potential hole in a hot fix is something that we are seeing more and more often. It seems that either not enough research is being done to determine root causes when a flaw is found or development teams are patching only a part of the problem. Either way this is an issue. OpenSSL is widely used and while the development team might push a hit fix out fairly quickly that does not always trickle down to every product. Each manufacturer will have their own testing and release timelines. This slows the adoption of a fix quite a bit. When a patch still has the same basic flaw the time of exposure is even greater. This situation also means that the bad guys might start poking at other patches to see if there are ways around them… we are betting they will find them.

We will keep you up to date as we get more information about the actual methods used in this new exploit, if it works consistently, and how to guard against it.

Read 2318 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.