News & Medien

#OprahSSL Vulnerability – Oneconsult Security Advisory

Eine neue OpenSSL Verwundbarkeit namens #OprahSSL ermöglicht es jedem gültigen Zertifikat als Intermediate CA zu fungieren. Vollständiger Artikel auf Englisch:

A new OpenSSL vulnerability named #OprahSSL has recently surfaced, allowing any valid certificate to act as an intermediate CA and sign other (faked) certificates.

Due to the nature of the issue and the fact, that only the two most recent OpenSSL versions (1.0.1n, 1.0.1o, 1.0.2b & 1.0.2c), dating back only one month (the release of 1.0.1n and 1.0.2b was on 11 June, 2015), are affected, only a very limited number of systems seem to be impacted:

  • All 4 major browsers (Chrome, Firefox, IE & Safari) and smartphone operating systems do not use OpenSSL for their default connections and are therefore not affected
  • Server services are only affected if they use client certificates
  • The affected versions can currently only be found in test or pre-release versions like Ubuntu 15.10 alpha or rolling release distributions like Gentoo

Therefore most systems should be safe. The impact of the #OprahSSL vulnerability could have been a lot larger, but luckily the issue was discovered before it could become wide-spread.

Mitigation recommendation
If a system is affected, the OpenSSL library should be updated to version 1.0.1p or 1.0.2d.

This article was produced by our research team who analyzes and engineers new exploits and attack scenarios. Oneconsult AG has one of the largest teams of salaried and certified penetration testers in Switzerland. As a result of over 850 sophisticated penetration tests, we discover several dozen zero-day vulnerabilities per year.

Kategorie: News & Advisories
Publiziert am: 10.07.2015


Nichts verpassen! Melden Sie sich für unseren kostenlosen Newsletter an.

Ihre Sicherheit hat höchste Priorität – unsere Spezialisten unterstützen Sie kompetent.

Privatpersonen wenden sich bitte an Ihren IT-Dienstleister des Vertrauens oder die lokale Polizeidienststelle.

Weitere Informationen zu unseren DFIR-Services finden Sie hier:

CSIRT zu den Kontakten hinzufügen