OpenSSL Bugs Patched
Tuesday, February 2, 2016 @ 05:02 PM gHale
OpenSSL Project released new versions of the OpenSSL cryptographic library, which patches two separate security bugs, and updates the Logjam vulnerability.
OpenSSL contains an open source implementation of the SSL and TLS protocols, supports different cryptographic algorithms, and is in mainstream software.
One of the patched vulnerabilities rates as severe, as attackers could use it to obtain keys that would allow them to decrypt communications. This vulnerability affects only OpenSSL 1.0.2 releases.
“Historically OpenSSL usually only ever generated DH (Diffie-Hellman) parameters based on ‘safe’ primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be ‘safe’,” the OpenSSL team said in a post.
“Where an application is using DH configured with parameters based on primes that are not ‘safe’ then an attacker could use this fact to find a peer’s private DH exponent,” OpenSSL researchers said. “This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server’s private DH exponent if it’s reusing the private DH exponent or it’s using a static DH ciphersuite.”
“OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS,” they added. “It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.”
Researcher Antonio Sanso, who discovered the vulnerability and pointed it out to the OpenSSL team, has more details on the vulnerability.
Apparently, the team already knew about the flaw and had already (partially) fixed it, but the fix wasn’t yet implemented in the release branches of the library.
Users who run OpenSSL 1.0.2 should upgrade to 1.0.2f, and those running OpenSSL 1.0.1 should switch to 1.0.1r.
But, as part of the fix, the SSL_OP_SINGLE_DH_USE option is on by default and cannot end up disabled. “This could have some performance impact,” the OpenSSL team said.