The much anticipated OpenSSL patch for that SEVERE certificate forgery bug has arrived!
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and “issue” an invalid certificate.
This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
Which means what?!
It means that if a hacker can spoof an SSL certificate, they would be able to see all traffic unencrypted, but it would continue to appear secure to a user. They could also start a malicious authority, which would need to be implanted in a computer or image, and would require more work than it might be worth. However, if they put in the effort, any cert validated by the malicious authority would be unencrypted.
OpenSSL became aware of the vulnerability when Adam Langley of Google and David Benjamin of BoringSSL reported it on June 24th of this year. BoringSSL came up with the fix for the bug.
The good news is that OpenSSL has patched the vulnerability, and all you need to do is update!
Currently, the OpenSSL Software Foundation is a volunteer-based team. OpenSSL powers thousands of hardware appliance and software applications around the globe. Since OpenSSL is available for free, there is no direct revenue source to sustain a permanent staff, which makes it difficult for planning purposes, and resources. Milton Security Group is a sustaining sponsor of OpenSSL, having made a pledge to donate monthly to this incredible organization. We highly encourage any company that uses this wonderful toolkit, and is able to follow the example that Milton Security has set. Please help OpenSSL stay strong and secure. Visit https://openssl.org.
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.