In today’s Whiteboard Wednesday, Tod Beardsley, Security Research Manager at Rapid7 will discuss the latest OpenSSL vulnerability announced on July 9th, 2015.
Watch this week’s video to learn how the vulnerability works, the impact, and how to tell if your organization is affected.
Hi! I'm Tod Beardsley here at Rapid7. And this is Whiteboard Wednesday. Today, we're going to talk about CVE-2015-1793. I have to keep looking because it doesn't have a funny name or a brand or anything, which is a bummer. I like the ones that have funny names. But because it has a funny name, I've already spoiled the whole surprise here is that this is a big deal, don't get me wrong, but it's not as big of a deal as we might've expected or feared for today.Show more Show less
So this morning on July 9, the OpenSSL team announced the availability of a patch for a high–rated vulnerability that affects how certificates are validated. And so we're going to talk about how that works, what the happy path is, and then what an attack would look like, what the real impact is for you, and how you can tell if you're affected. So we're going to blast through that right now.
First off, just a quick overview, when you go to a secure website, that website will give you a certificate. And then your browser says, "Yup, the certificate looks legit. It is who they say they are. And I can tell that because I can see that it's signed by a certificate authority."
The bug here in OpenSSL 1.0.1 and 1.0.2 is that that check for the certificate authority is a little bit broken. And a bad guy can show up and create, basically, arbitrary certs and say that he is the certificate authority, and you should trust all of them. So that's a bummer. That's a huge bummer.
The reality, though, is that in order for this attack to be carried out, the attacker has to be in the middle of the communication between you and the service you're trying to get to. So either that attacker is going to be real close by, like in the same room, on the LAN giggling or snickering or chortling I guess, because they're evil, or they're going to be upstream, like on some hop between you and that service. So either they're in your ISP or they're on the backbone, in which case they're already in a pretty privileged position, and you might have bigger problems if you're attracting that kind of attention.
But the upshot of that is that this is not a vulnerability that could be used to hoover up all the secret communications and decrypt them later or run code on anybody. This is nothing like that, because at the end, the encryption is still real solid. You just are not sure about identity now. So you're telling perfect secrets to strangers. And that's a bummer. This is one of the promises of modern cryptography is that I know that my secrets are safe, and I know who I'm telling them to.
So that's about the gist of it. A real summary version of it is that it requires a man in the middle of the attack. And generally speaking, most libraries out there aren't affected by this. It is only OpenSSL 1.0.1 and 1.0.2. Android devices, for example, use BoringSSL. And Mozilla uses their own SSL library. Microsoft uses Schannel. None of those appear to be affected today. If that changes, we'll let you know. But in the meantime, you can scan your infrastructure with Nexpose and check out what versions of OpenSSL you actually have installed and linked in whatever your application is. You will want to update those to OpenSSL 1.0.1p and OpenSSL 1.0.2d. Anything before that, you're going to want to update.
And so, yeah, that's about the long and the short of it. Thanks for watching. And we'll talk to you next week.