Multiple fixes are planned for the forthcoming release

Mar 17, 2015 21:01 GMT  ·  By

A new version of OpenSSL crypto-library is scheduled to emerge in a couple of days, carrying an undisclosed number of security fixes, one of them more severe than all the others.

OpenSSL is an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) secure communication protocols used for running encrypted traffic over a network.

The library is widely used in different products, from operating systems (including embedded ones), web servers and web browsers to apps for mobile devices and hardware appliances.

Heartbleed, POODLE and FREAK, all in less than a year

In the past year, its code was fixed for three major vulnerabilities making ripples all over the web. The one that drew particular attention, and which opened the door for funding the project's maintenance, was Heartbleed, a coding error disclosed in April 2014 that allowed leaking information from the memory of a server.

The details could include highly sensitive data such as keys for the current encrypted session, long-term server private keys or passwords.

In October 2014 news came about POODLE, an attack that allowed a third party in the position to intercept traffic to downgrade a strong secure connection to SSL 3.0, which features a weakness in the cryptographic algorithm consisting in insufficient verification of the block cipher padding used.

The most recent flaw affecting OpenSSL was disclosed at the beginning of this month. It is dubbed FREAK and it is also related to weak encryption.

Exploiting it requires traffic interception to inject packets that force export-grade 512-bit RSA keys to be used for the encryption process.

RSA keys this size can be broken with little financial effort and computing power. On Monday, a group of researchers found that tens of thousands of servers online rely on the same RSA key for encrypted communication with the clients.

Admins should get ready to deploy the new patches

The details about the patches expected in OpenSSL on Thursday are not available at the time, but one of the security holes to be closed has been marked as being extremely serious, according to a notification on Monday.

The new versions for OpenSSL will be 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf, and system administrators should prepare their testing systems in order to apply the fixes as soon as possible.

On March 9, 2015, the NCC Group Cryptography Services announced that OpenSSL would be the subject of an ample, though not comprehensive, security audit, whose preliminary results are expected to become available towards the beginning of summer.