It’s usually best practice to update to the newest version of any software to make sure you’ve got the most recent security fixes, but OpenSSL users who religiously stick to the most recent version — of which there probably aren’t all that many — were rewarded this month with another severe vulnerability.
I should make it clear that although this vulnerability is a critical one, it’s nowhere near the severity of last year’s Heartbleed: it can only be used for targeted attacks and takes a lot of effort to exploit. That said, the type of vulnerability makes it quite serious.
Who Is Vulnerable?
Users of OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o, are vulnerable. The problem was introduced in June of this year and was found by the developers of Google’s OpenSSL alternative BoringSSL soon after and fixed within a month — much better than Heartbleed’s two-year lifespan. If you’re using a vulnerable version, you should update.
What Does The Vulnerability Do?
Certificate authorities validate the authenticity of SSL certificates. Anyone can create an SSL certificate, but only those validated by certificate authorities are widely trusted. The vulnerability essentially allows a man-in-the-middle attacker to issue invalid certificates that will be trusted. It allows them to take on the role of the certificate authority and trick applications into treating invalid certificates as if they were issued by a genuine authority.
The point of identity validation via SSL is to ensure that parties to the communication are who they claim to be. If attackers can generate a certificate that appears to be validly linked to an entity, they can impersonate that entity.
There is also a risk that the upgrade and software installation processes used by some mobile devices and enterprise applications may be at risk, if they are using a vulnerable version of OpenSSL. Many such processes use SSL to validate the identity of the sender of updates — updates are signed by a party verified by a certificate authority.
Who Should Be Worried?
None of the major browser manufacturers use OpenSSL for certificate validation so end-users are safe. Applications that communicate over SSL-secured connections may be vulnerable if they’re using OpenSSL.
In reality, the risk is mostly theoretical. There was a small window of time in which the exploit could be used and there’s no evidence of it being used by attackers in the wild. That said, users of the vulnerable versions should update as soon as is practical.
Much of the conversation around this vulnerability has not focused on the exploitable code, but on the implications it has for our trust in certificate authorities.
According to Kevin Bocek, VP of security strategy and threat intelligence at Venafi, “bad actors have learnt that enterprises are blindly trusting certificate authorities- and often the easiest, fastest and most effective way to inject malware onto corporate networks is by signing the malware with compromised or stolen digital certificates.”
The takeaway here is that if you’re using a vulnerable versions, upgrade — but you probably shouldn’t be too worried about being the victim of a successful attack that leverages this vulnerability.