A new OpenSSL vulnerability named #OprahSSL has recently surfaced, allowing any valid certificate to act as an intermediate CA and sign other (faked) certificates.
Impact
Due to the nature of the issue and the fact, that only the two most recent OpenSSL versions (1.0.1n, 1.0.1o, 1.0.2b & 1.0.2c), dating back only one month (the release of 1.0.1n and 1.0.2b was on 11 June, 2015), are affected, only a very limited number of systems seem to be impacted:
- All 4 major browsers (Chrome, Firefox, IE & Safari) and smartphone operating systems do not use OpenSSL for their default connections and are therefore not affected
- Server services are only affected if they use client certificates
- The affected versions can currently only be found in test or pre-release versions like Ubuntu 15.10 alpha or rolling release distributions like Gentoo
Therefore most systems should be safe. The impact of the #OprahSSL vulnerability could have been a lot larger, but luckily the issue was discovered before it could become wide-spread.
Mitigation recommendation
If a system is affected, the OpenSSL library should be updated to version 1.0.1p or 1.0.2d.
This article was produced by our research team who analyzes and engineers new exploits and attack scenarios. Oneconsult AG has one of the largest teams of salaried and certified penetration testers in Switzerland. As a result of over 850 sophisticated penetration tests, we discover several dozen zero-day vulnerabilities per year.
