A new security flaw that can be exploited by hackers to execute man-in-the-middle attacks and take control of affected machines has been found in OpenSSL, the cryptographic library upon which the security of a huge chunk of the Internet is based.
Thankfully, the flaw has already been patched, and the team that manages the open-source OpenSSL has issued a security advisory encouraging everyone who may be affected to update OpenSSL immediately to receive the patch.
The flaw, which was discovered by Adam Langley and David Benjamin of Google's BoringSSL, Google's own fork of OpenSSL, is no Heartbleed or Freak and was discovered in late June before it made its way to mainstream services. However, it is important that users running versions 1.0.2c and 1.0.2b upgrade their OpenSSL to 1.0.2d and those on 1.0.1n and 1.0.1o upgrade to 1.0.1p.
The OpenSSL team explains that the flaw, identified as CVE-2015-1793, allows hackers to impersonate legitimate transport layer security (TLS) or secure sockets layer (SSL) and intercept what would normally be encrypted information passing between a user and a server.
If used by attackers with a target, CVE-2015-1793 could be potentially dangerous as it bypasses what is often the only form of cryptographic protection used by many websites, email providers and virtual private networks by letting attackers make an invalid certificate appear legitimate. For example, the bug skips checking the Certificate Authority (CA) flag, letting attackers use their own fake certificate masquerading as the real one to get access to encrypted data.
"During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build a chain fails," the OpenSSL team said. "An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and 'Issue' an invalid certificate."
The good thing is not a lot of people are affected by this flaw, as three of the most popular web browsers, namely Internet Explorer, Mozilla Firefox and Apple Safari, use their own crypto libraries, while Google Chrome uses BoringSSL. There are, however, desktop and mobile apps as well as Internet of Things devices that run on OpenSSL, which is why it is crucial to get the patch for the flaw.
Photo: Nguyen Hung Vu | Flickr