The world outside of IT was largely unaware of OpenSSL until the recent Heartbleed bug made headlines. Now a vulnerability in the service has been discovered that is so old it can get its drivers license.
Two critical security patches were recently released for OpenSSL. Following the Heartbleed news, these were bound to make headlines.
But how bad are they really?
The short answer: Not as bad as Heartbleed, likely.
There are some things working in users’ favor this time – including that the flaw has existed for 16 years and there have been no known exploits so far.
The flaw allows a malicious person to conduct a Man-in-the-Middle attack. Essentially, that means they’d be able to intercept data and spy on a user’s session.
But for the attack to work, both the server and client need to be running vulnerable versions. Vulnerable versions include OpenSSL 1.0.1 and 1.0.2-beta1.
OpenSSL advises that:
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
How would an attack work?
Since both the client and server need to be vulnerable, this flaw would be difficult to exploit. But Symantec’s blog has outlined a hypothetical situation where it could be used against a user:
One way that attackers could exploit this flaw is by setting up a rogue Wi-Fi hotspot in a public area. If a user connects to this rogue access point, the attackers controlling the hotspot could steal their data, even though the traffic is encrypted.
This hasn’t been tested yet. But it certainly seems like the kind of thing an intrepid hacker could pull off.
What to do
Since every version of OpenSSL for clients is vulnerable, users are once again at the mercy of server admins to update.
In the meantime, if your servers use OpenSSL, make sure they’re updated to a fixed version.