Another Heartbleed? OpenSSL encryption toolkit vulnerable again

5 Jun, 2014 20:46 / Updated 11 years ago

Security experts have spotted another glaring flaw in the OpenSSL encryption library, rekindling fears that have barely subsided since the Heartbleed bug was spotted in the same protocol earlier this year.

OpenSSL said on Thursday this week that a glitch had been discovered that, if exploited properly, could allow a well-skilled hacker to “decrypt and modify” web traffic assumed to be protected with the popular encryption method.

“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” reads an advisory issued on Thursday begins. “The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”

"On the surface, the fact that the vulnerability requires man-in-the-middle positioning for exploitation is limiting, but as better tools are developed, automation might enable easy mass exploitation on Wi-Fi networks and similar environments," warned Ivan Ristic, the director of engineering at vulnerability management vendor Qualys, in a statement published by CRN.

Lepidum — the software developer that discovered the latest error — described their finding as a “serious vulnerability” that could allow for eavesdropping on web communications sent between browsers, email clients and other internet-ready mediums if exploited properly.

OpenSSL, a free and open source library of code that lets users decrypt and encrypt communications, made headlines in April when it was revealed that an error in the code had existed for years, in turn affecting a major chunk of the internet. That bug — Heartbleed — was believed to be one of the biggest of its kind ever.

“Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating,” tech reporter Andy Greenberg wrote for Wired on Thursday. “But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA to strip away your Web connection’s encryption before it’s even initialized.”

Thursday’s discovery comes one-year-to-the-day after leaked the first article was published relying on leaked documentation provided by Edward Snowden, a former National Security Agency contractor who has since supplied journalists with a trove of sensitive materials concerning the United States intelligence community’s tactics with regards to bypassing and even sabotaging popular encryption methods meant to protect private communication. To commemorate the anniversary, a worldwide campaign on Thursday — Reset the Net — aimed to deliver encryption tools and other privacy-protecting features to novice users.