In Brief: Although severe, a new vulnerability in OpenSSL that allows an attacker to impersonate a trusted CA serveris expected to have minimal impact.
OpenSSL today issued a high severity advisory warning of forged certificates. During certificate verification, the alert says OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. This could allow an adversary to impersonate a trusted CA server and eavesdrop on otherwise encrypted communication.
Fortunately, the flaw only affects versions of OpenSSL released last month and not yet available in some OSs such as Ubuntu. Affected versions are OpenSSL 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
Despite the severity, experts expect the overall impact will be minimal.
“Exploiting the OpenSSL vulnerability (CVE-2015-1793) is not quick or easy, making it nowhere near as serious as Heartbleed,” said Veracode’s Vice President of Research Chris Eng in an email. “For starters, an attacker can’t simply directly attack a vulnerable server due to the nature of the vulnerability.”
To exploit successfully, an attacker would first need to get access to a vulnerable browser then would have to get the forged certificate to that browser. By default, Google Chrome, Mozilla Firefox, Microsoft Internet explorer, and Apple iOS do not use OpenSSL for validations. Derivative SSL alternatives such as Boring SSL are not affected.
The OpenSSL Project advisory states that users of OpenSSL 1.0.2b/1.0.2c should upgrade to 1.0.2d and users of OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.