OpenSSL is an open source cryptographic library that provides a robust and fully featured toolkit for the SSL and TLS protocols that are used to secure just about every secure (HTTPS) website and service on the internet. It is also a general-purpose cryptography library, and is a key component of the OpenVPN VPN protocol.
According to OpenSSL. org’s latest Security Advisory, both supported versions of OpenSSL (1.0.1t and 1.0.2h) had two “high severity” weaknesses in them. These could result in OpenSSL connections becoming compromised (making it possible, for example, to decrypt HTTPS web traffic).
According to security expert Kenneth White, these flaws are a result of OpenSSL’s support for legacy encryption schemes,
“Both of these bugs are the result of complex legacy interoperability which will be solved by moving off of known dangerous protocol constructions like CBC (which is mandatory under TLS 1.3), and by developing and adopting much less complex certificate encoding and parsing software.”
Curious Padding Oracle flaw
The most severe issue was OpenSSL’s vulnerability to a Padding Oracle attack. This could be pulled off against a connection that uses the AES-CBC cipher algorithm (which is commonly used for OpenVPN connections) where the server supports AES-N. Rich Salz, a member of the OpenSSL development team and an engineer at Akamai explains,
“The AES issue is interesting. If you can [man-in-the-middle] then you can inject packets, look at the error codes, and then eventually decrypt traffic. So it’s for national-scale attackers who can force DNS or BGP routes, or small hackers who can hack Wi-Fi in Starbucks.”
The flaw only permits the recovery of 16 bytes of encrypted traffic, and even then, only when the data is sent repeatedly by the target. This is enough, however, for an adversary to collect cookies and other small pieces of data that could be used to compromise the target.
This vulnerability has been officially indexed as CVE-2016-2107, and somewhat ironically it exists thanks to earlier efforts to patch the “Lucky Thirteen” bug, another padding oracle attack that surfaced in 2013.
The flaw was discovered by security researcher Juraj Somorovsky, who provides a detailed explanation of his findings here.
Memory corruption vulnerability in the ASN.1 encoder used in OpenSSL
This bug was, in fact, fixed back in June 2015, and only affects OpenSSL versions earlier than April 2015. It is only now, however, that the full impact of this weakness on OpenSSL security has been understood.
CVE-2016-2108 does not by itself present a security problem, but if combined with another unrelated flaw (in the ASN.1 parser), it could result in a buffer overrun that would allow an attacker to execute malicious code on a web server.
Although listed as “high priority”, these flaws are not something that should alarm the general public (they are no Heartbleed bug!). Server administrators should, however, immediately patch their OpenSSL to versions 1.0.2c and 1.0.1o.