ADVISORY: Update OpenSSL to patch certificate validation vulnerability

Thursday, July 9, 2015

This information was sent to U-M IT staff groups on July 9, 2015. it is intended for U-M IT staff who are responsible for university servers that use OpenSSL.

Summary

A critical vulnerability in the way some versions of OpenSSL validate alternative chain certificates could allow an attacker to impersonate a website or host. IIA recommends that you update OpenSSL on affected systems after appropriate testing.

Threats

An attacker who exploits this vulnerability could construct a TLS certificate to act as a certificate authority (CA). This could enable the attacker to create a malicious site that appears to be a legitimate, published site. For example, the malicious site could impersonate a banking, shopping, or university site.

Affected Systems

Systems that use the following versions of OpenSSL and verify certificates are affected, including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication:

  • OpenSSL 1.0.2c and 1.0.2b
  • OpenSSL 1.0.1n and 1.0.1o

Note that these systems are not affected: RedHat, CentOS, and Ubuntu distributions of Linux; OpenSSL 0.9.8 and 1.0.0.

Action Items

Visit the OpenSSL website to download the newest versions of OpenSSL.

  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

Technical Details

When verifying certificates, the affected versions of OpenSSL will search for an alternative certificate chain if the first attempt to build a certificate chain fails. The vulnerability in this process means that an attacker could cause certain checks on untrusted certificates, such as the CA flag, to be bypassed. This would allow the attacker to use a valid leaf certificate in order to act as a CA and issue a certificate which is not recognized by OpenSSL as invalid. The vulnerability has been assigned CVE-2015-1793.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports

Please contact [email protected].