Sign in / up

back to article Feared OpenSSL vulnerability gets patched, forgery issue resolved

The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol. Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. CAPS LOCK

    Already patched in Linux Mint 17

    $ openssl version

    will reveal all. (Oh, err)

    2 0 Reply
    1. mhenriday
      Reply Icon
      Meh

      Re: Already patched in Linux Mint 17

      From what I can determine, my 64-bit Linux Mint 17.2 system is running OpenSSL 1.0.1f from 6 January 2014. I presume this means that it is not subject to the vulnerability described in the article ?...

      Henri

      0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Wet firecracker

    I do not see what the fuss was all about here. Sure - this can be exploited under some extremely obscure circumstances. But this is definitely not a major bug.

    1 2 Reply

    1. This post has been deleted by its author

      1. Charlie Clark Silver badge
        Reply Icon

        Re: Wet firecracker

        FWIW LibreSSL also did a patch release yesterday. Doesn't mention the CVE specifically but does refer to the BoringSSL code: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.1-relnotes.txt

        3 0 Reply
      2. rux
        Reply Icon
        Coffee/keyboard

        Re: Wet firecracker

        The severity of security vulnerabilities is scored using a number of factors, including the vector, complexity and impact of an exploit - see https://nvd.nist.gov/CVSS-v2-Calculator

        I think this is probably a high severity because of its potential impact to integrity/confidentiality.

        0 0 Reply
    2. ckm5
      Reply Icon

      Re: Wet firecracker

      I'm not sure I agree - I could see an easy man-in-the-middle against automated systems that rely on cert errors to identify fake end-points. This is particularly bad if you are running VPNs over the 'open' internet between datacenters using OpenSSL as the encryption envelope, like, say, a stock exchange....

      You might be able to delay messages just enough to create an 'Office Space' scenario and no one would know.

      2 0 Reply
    3. nagyeger
      Reply Icon

      Re: Wet firecracker

      This is a major bug if you're relying on SSL to provide end-to-end certification as a user. So I won't be connecting to my bank until it's fixed.

      It doesn't mean we need to unpug any servers while we wait for the distro to catch up with upstream though. I for one am happy about that.

      3 0 Reply
      1. IrrelevantMusings
        Reply Icon

        Re: Wet firecracker

        Uh, why is this not catastrophic? It sounds like anyone can forge a certificate for any domain:

        1. Get a normal (non-CA) host certificate from a legit CA.

        2. Use that cert to sign a fraudulent cert for target host/domain, including the non-CA cert in the authority chain. (You might need to hack a copy of the cert-signing app to ignore the missing CA flag.) Make sure auth chain is glitched properly to trigger OpenSSL bug in victim.

        3. Redirect victim's https request to fraudulent site, use fraudulent certificate.

        Sounds like the hardest part is (3), and if that was hard we wouldn't need certs.

        5 0 Reply
  3. channel extended

    Public Wifi

    A lot of the public wifi spots require that you accept a self signed cert. This error could leave users open to an easier MITM attack.

    1 0 Reply
  4. TrevorH

    Bug introduced on June 11th

    This is a fix for a bug that only entered the codebase on June 11th and was spotted on the 24th. I suspect almost no distros have backported or shipped such new openssl releases - oh, except Fedora which handily backported the buggy code :-( For those of us running CentOS/RHEL or probably any other LTS distro, the bug never even made it to the code...

    2 0 Reply
  5. Richard Lloyd

    RHEL/CentOS not affected

    Probably the most popular Linux server family, RHEL/CentOS, isn't affected and doesn't need to be patched:

    https://access.redhat.com/security/cve/CVE-2015-1793

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like