Critical flaw in encryption has been in OpenSSL code for over 15 years

After the Heartbleed vulnerability, more security researchers have turned their attention toward reviewing OpenSSL. Now it’s time to patch again, but the most alarming/bizarre part of the story is that one of the critical vulnerabilities in OpenSSL has been gone undetected since December 1998.

If you’re looking for a positive slant to another critical hole being discovered in open source encryption software, then it would have to be that more researchers will likely keep digging into OpenSSL code. In the long run, that should make encryption more secure. In order to Reset the Net and reclaim our privacy, we need to encrypt everything.

The patch released by the OpenSSL team today will close that hole along with five other flaws. “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers,” states the OpenSSL security advisory in regards to CVE-2014-0224. “This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.

OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

In a post explaining how he discovered the CCS injection vulnerability (CVE-2014-0224), security researcher Masashi Kikuchi wrote that the ChangeCipherSpec (CCS) bug “has existed since the very first release of OpenSSL. The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation.”

Google’s Adam Langley wrote, “The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren’t affected. Nonetheless, all OpenSSL users should be updating.”

Meanwhile, SANS Internet Storm Center classified two of the six newly patched vulnerabilities as critical, CVE-2014-0224 and CVE-2014-0195, and warned that they “may lead to arbitrary code execution.”

The latter vulnerability in OpenSSL’s implementation of Datagram Transport Layer Security (DTLS) was credit to Jüri Aedla, who “recently made news by successfully compromising Mozilla Firefox during this year’s Pwn2Own contest.” HP’s TippingPoint Zero Day Initiative also pointed out:

According to the commit logs, Robin Seggelmann introduced this vulnerability into the OpenSSL code base four years ago. Yes, Robin Seggelmann is also responsible for introducing the Heartbleed vulnerability. Two big vulnerabilities introduced by the same developer. Seggelmann is not completely to blame, of course. OpenSSL is an open source project. The ‘many eyes’ that look at this code failed to catch this bug, but a new breed of individuals are looking at this code…especially at Seggelmann’s code.  This code is now known for having vulnerabilities. There is blood in the water.  For the individuals auditing his code, the Zero Day Initiative will happily handle the work that goes into disclosing those vulnerabilities and reward you for your efforts.

The remaining four flaws patched today could be used for denial-of-service: CVE-2014-0221, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470.