Another OpenSSL vulnerability has been detected on Thursday, which allows malicious intermediate nodes to intercept encrypted data and decrypt them. It is believed that the bug has existed since the first release of OpenSSL.
According to Japanese researcher Masashi Kikuchi of Lepidum, who detected the OpenSSL bug, the vulnerability is in OpenSSL’s ChangeCipherSpec processing, and can force SSL clients to use weak keys which are exposed to the malicious nodes. The bug affects OpenSSL 1.0.1 through 1.0.1g, OpenSSL 1.0.0 through 1.0.0I, and all versions before OpenSSL 0.9.8y.
This OpenSSL bug comes days after the Core Infrastructure Initiative agreed to provide funds for OpenSSL to hire two full-time core developers, in the hopes of improving its security after the massive serious impact of the recent Heartbleed vulnerability.
In response to the latest vulnerability, software vendors Ubuntu, Debain, FreeBSD, CentOS, Red Hat 5 and Red Hat 6 have released software updates.
Exploitation of this bug does not leave any traces, so it is virtually undetectable if someone has exploited it.
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” Kikuchi said in a blog post. “If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”
According to Lepidum, the bug allows attackers to eavesdrop and make falsifications when both a server and a client are vulnerable. Attackers are able to hijack the authenticated session if even if the client is not vulnerable.
While attackers can’t steal private keys through the bug itself, if keys have been transferred via paths protected by SSL/TLS, the keys could be sniffed, Lepidum said.