OpenSSL had released a security alert earlier this month to fix two high-severity issues. This is one of the several high-severity alerts issued over the last few years. Not only were large corporations hit with these issues, their customers were impacted as well. What will this mean for the future of OpenSSL?
OpenSSL is a popular library used to create Secure Socket Layer (SSL) and Transport Layer Security (TLS) to secure a network. Basically, a secure server running on a network is probably running OpenSSL. It is used in websites, products and all smartphones.
Taking a Walk Through History
Starting from 2014, OpenSSL has had many high-security issues that required fixing. The Heartbleed bug was reported in April. The issue was with how OpenSSL handled TLS heartbeat extension packets. This could result in hackers stealing credentials, personal information or decryption keys. The Heartbleed bug was the turning point that drew attention to OpenSSL and the lack of funding and resourcing supporting this open source project.
Shortly after, the Poodle vulnerability was detected in October 2014. This issue could allow hackers to steal information that could enable a hacker to take control of a victim’s accounts. And then, the FREAK vulnerability in March of 2015 which could allow communications between servers and clients to be decrypted.
The LogJam issue detected in May 2015 could allow hackers to exploit a session key exchange process at the start of secure communications. The Alternative Chains Certificate Forgery Vulnerability advisory released in July 2015, meant a hacker could bypass certain checks in an untrusted certificate.
What’s Happening Today
The latest issue is a combination of two bugs. The first bug involves the creation of a negative zero integer from the ASN.1 parser. This combined with the second issue of the ASN.1 parser can misinterpret large universal tags as a negative zero. Any application that parses and encodes the x509 certificate utility is vulnerable.
The second issue is due to resolving the Lucky Thirteen issue. As noted in the OpenSSL security alert, an MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.
The fix was released on April 18, 2016. This is a good reminder to all organizations to know what is being used within their network and confirm that all software is patched and up-to-date.
What Will the Future Bring?
The number of recent issues has raised the awareness of the lack of funding and resources supporting OpenSSL. As a result, the Core Infrastructure Initiative (CII) was created shortly after the detection of the Heartbleed issue. The goal of this organization is to help support, protect and fortify open source software through funds. These funds can be spent to support security audits, fellowships so developers can work full-time on open source projects, or computing and testing infrastructure.
OpenSSL was the first to benefit from this initiative. They created a roadmap to clean up the codebase, establish processes for critical changes and how to communicate them. CII sponsored an OpenSSL audit last year. Today, OpenSSL is part of a group of early recipients of the CII Best Practices Badges. The badge signifies that the open source software has met the criteria for security, quality and security.
Open source projects usually rely on donations to support their initiatives. The support and funds now directed to open source projects by an organization like CII is a testament to the importance they play in the computer industry.
Leave a Comment