New SSL Vulnerabilities – Spoofing CA Certificates

OpenSSL is a widespread, open-source SSL protocol application and is widespread and used by numerous projects and organization for providing rapid, adaptable and “secure” solution.

OpenSSL has recently reached headlines again, but on a bad note. As of late (the past two years or so), the older and current versions of SSL have suffered from application issues that were considered critical and which lead to the exposure of almost all SSL-based projects (not to be confused with protocol-level issues such as POODLE and BEAST attacks).

One of the most infamous issues was the ‘Heartbleed’ vulnerability, which allowed hackers to extract sensitive information from SSL servers.

Recently researchers have found a new OpenSSL vulnerability that was publically disclosed (and there may be more issues that we’re currently unaware of).

The vulnerability was first published on Monday, July 06 2015 on The Hacker News website (Link to the article: http://thehackernews.com/2015/07/openssl-vulnerability-patch.html).

Targeting Sys-Admins, they stated the following:

Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July.

OpenSSL is a widely used open-source software library that provides encrypted internet connections using SSL/TLS for majority of websites, as well as other secure services.

The new versions of OpenSSL crypto library, versions 1.0.2d and 1.0.1p, address a single security vulnerability classified as “high severity,” the OpenSSL Project Team announced on Monday.

Even though specific details were not disclosed, it is highly recommended to upgrade.

You can read a more detailed article on this matter that was published on Thursday, July 09 2015 by The Hacker News website (Link to the article: http://thehackernews.com/2015/07/openssl-vulnerability-ssl-certificate.html).

In short, one of SSL’s main features, ‘Integrity’, is being threatened by this vulnerability. Should a hacker come between the client (such as a web browser) and a server (such as a web server), the hacker could intercept traffic and present itself to the client as the real server (impersonation using a Man-in-the-Middle attack).

The details according to the article:

“The critical vulnerability could allow man-in-the-middle attackers to impersonate cryptographically protected websites, virtual private networks, or e-mail servers, and snoop on encrypted Internet traffic.

The vulnerability, (CVE-2015-1793), is due to a problem lies in the certificate verification process. An error in its implementation skipped some security checks on new, untrusted certificates.

By exploiting this vulnerability, an attacker could circumvent certificate warnings that enable them to force applications into treating an invalid certificate as a legitimate Certificate Authority.”
The CVE articles (https://www.openssl.org/news/secadv_20150709.txt, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1793) that review the vulnerability referred to as Alternative chains certificate forgery

The overview of the vulnerability details the problem in one of the internal OpenSSL functions:

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

The final recommendation for users that use versions 1.0.2b/1.0.2c is to update to version 1.0.2d and users that use versions 1.0.1n/1.0.1o to update to 1.0.1p.

Source versions are available here: https://www.openssl.org/source/

Binaries for Windows are available here: http://indy.fulgan.com/SSL/

Binary for Solaris are available here:  http://www.unixpackages.com/

The AppSec Labs SSL Scanner tool is an open-source broad scanning tool for detecting different issues regarding SSL.

Want to know more about SSL? Want to know if you’re safe? Ran the AppSec Labs SSL Scanner! Now you want to mitigate? Contact us at www.Appsec-Labs.com and we’ll be happy to assist.

I hope that it has been informative for you and I’d like to thank you for reading J

Gilad Ofir, Application Security Consultant, AppSec Labs