Blog
Informative, up-to-date and exciting - the Oneconsult Cybersecurity Blog.

#OprahSSL Vulnerability – Oneconsult Security Advisory

A new OpenSSL vulnerability named #OprahSSL has recently surfaced, allowing any valid certificate to act as an intermediate CA and sign other (faked) certificates.


Impact
Due to the nature of the issue and the fact, that only the two most recent OpenSSL versions (1.0.1n, 1.0.1o, 1.0.2b & 1.0.2c), dating back only one month (the release of 1.0.1n and 1.0.2b was on 11 June, 2015), are affected, only a very limited number of systems seem to be impacted:

  • All 4 major browsers (Chrome, Firefox, IE & Safari) and smartphone operating systems do not use OpenSSL for their default connections and are therefore not affected
  • Server services are only affected if they use client certificates
  • The affected versions can currently only be found in test or pre-release versions like Ubuntu 15.10 alpha or rolling release distributions like Gentoo

Therefore most systems should be safe. The impact of the #OprahSSL vulnerability could have been a lot larger, but luckily the issue was discovered before it could become wide-spread.

Mitigation recommendation
If a system is affected, the OpenSSL library should be updated to version 1.0.1p or 1.0.2d.

This article was produced by our research team who analyzes and engineers new exploits and attack scenarios. Oneconsult AG has one of the largest teams of salaried and certified penetration testers in Switzerland. As a result of over 850 sophisticated penetration tests, we discover several dozen zero-day vulnerabilities per year.

Published on: 10.07.2015

Share

Never miss the latest news on cyber security topics again? Sign up for our newsletter

Autor

Keine Beschreibung verfügbar.

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 12:00 p.m. and 1:00 p.m. – 5:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts