CybersecuritySix more bugs found in popular OpenSSL security tool

By Robert Merkel

Published 9 June 2014

OpenSSL is a security tool that provides facilities to other computer programs to communicate securely over the public Internet. OpenSSL is also used in some common consumer applications, such as software in Google’s Android smartphones. So when the Heartbleed vulnerability in OpenSSL was discovered and widely publicized in April this year, system administrators had to rush to update their systems to protect against it. Computer system administrators around the world are groaning again as six new security problems have been found in the OpenSSL security library.

Computer system administrators around the world are groaning again as six new security problems have been found in the OpenSSL security library.

OpenSSL is a security tool that provides facilities to other computer programs to communicate securely over the public Internet.

For example, if you see “https://” at the start of a Web address rather than “http:,” the “s” part indicates that the connection is secure. More often than not, at least the server computer on the other end of the connection will be using OpenSSL to provide that security.

OpenSSL provides two main forms of security:

  1. It scrambles information so it is unreadable to anyone other than the intended recipient
  2. It authenticates the source of information, ensuring the sender is who they say they are

OpenSSL is also used in some common consumer applications, such as software in Google’s Android smartphones.

So when the Heartbleed vulnerability in OpenSSL was discovered and widely publicized in April this year, system administrators had to rush to update their systems to protect against it.

The latest bugs
The OpenSSL developers, a loosely-connected group of volunteers who primarily collaborate online, announced this week an updated version of their tool with fixes to the six new vulnerabilities, each reported independently by security researchers around the world.

Of the six, four appear to only be exploitable for “denial-of-service” purposes. An attacker could cause a server running the vulnerable software to stop functioning.

But the other two bugs are more serious.

The first (explained in technical detail here) might, theoretically, allow an attacker to gain full control of a vulnerable server. At that point all data on that server becomes available to the attacker.

But this can only occur if a particular facility called Datagram Transport Layer Security (DTLS) of OpenSSL is in use. Fortunately this facility isn’t used by the vast majority of applications using OpenSSL.

The second serious bug (technical explanation here and additional technical analysis here), has been present in OpenSSL for at least fifteen years.

In essence, by sending certain messages through OpenSSL in the wrong order, a supposedly “secure” connection can be initiated with a known password. This can be used to establish a “man-in-the-middle” attack, where an attacker with access to the communication channel between a server and client can read and/ or modify any messages between them.

Unlike the DTLS vulnerability, clients and servers using OpenSSL in typical ways are vulnerable.