Yesterday, the crew at OpenSSL.org published their highly anticipated ‘high-severity’ vulnerability and patch affecting OpenSSL v1.0.1 & 1.0.2. They had given the security community a heads-up several days ago about the upcoming announcement, and there had been much speculation about the details of the vulnerability.
In case you’ve been trapped on a deserted island all day or in a conference room with no WiFi, here is a summary of what we know:
Q: What’s the news?
A: OpenSSL.org announced a high-severity vulnerability (CVE-2015-1793, also known as “Alternative Chains Certificate Forgery”) that could allow attackers to impersonate trusted Certificate Authorities by requiring applications to treat forged certificates as legitimate Certificate Authorities. Doing so would allow attackers to launch man-in-the-middle attacks. However, the attacker would need to have a very targeted understanding the application being used and the communication methods to be successful, so the risk of that is low.
For more information go to CVE-2015-1793 or OpenSSL.org
Q: What versions of OpenSSL are affected, and what are the patches?
A: Specific versions of OpenSSL 1.0.1 and 1.0.2 are affected, and here are the appropriate patches:
- OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
- OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
Fortunately, these versions have been available only since June 2015 (or sooner), meaning that they likely have not been widely deployed in many applications.
Q: How does this vulnerability affect AlienVault Products?
A: AlienVault USM and OSSIM are not vulnerable because they do not utilize the vulnerable versions of OpenSSL.
USM for AWS is not vulnerable because this vulnerability is exploitable only when OpenSSL is acting as a client, validating a certificate for authentication. USM for AWS never uses OpenSSL in this manner.
OTX is currently using a vulnerable version of OpenSSL, and will be patched shortly.
Q: Can the USM platform detect versions of OpenSSL that need to be patched?
A: It will, once we update the vulnerability scanning signatures of USM. We will notify our customers on the AlienVault Forum and via our Message Center within the USM platform when we have added that capability.
Q: Will the USM platform be able to detect exploits targeting vulnerable systems?
A: Yes, our AV Labs threat research team will update the USM platform’s Threat Intelligence to detect any malicious behavior targeting vulnerable systems. We will notify our customers on the AlienVault Forum and via our Message Center within the USM platform whenever we update our Threat Intelligence service.