Any flaw in the crypto library has a widespread impact

Jul 5, 2015 21:30 GMT  ·  By

Anyone relying on OpenSSL toolkit for implementing strong cryptography in their products should be prepared to switch to a new release, come July 9, that delivers a fix against a high-risk bug, announced the maintainers of the library.

The team working to keep OpenSSL safe from abuse informed via the product’s mailing list on Monday that versions 1.0.2d and 1.0.1p are expected to land on Thursday.

No hint on the nature of the bug

To keep attackers in the dark and prevent them from creating an exploit for the vulnerability, the communication withholds any details that might offer information about the problem.

It is certain, though, that the new variants of OpenSSL will address a single security flaw, as developer Mark Cox explicitly says in the email:

“These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity,” he writes.

It appears that not all versions of the package are affected, as builds 1.0.0 or 0.9.8 are immune.

FREAK glitch was one of the latest high-severity issues fixed

However, using these builds is not a safe option because they are susceptible to other bugs, such as CVE-2015-0204, which can allow downgrading the protection of a secure communication to a weak encryption key that can be easily broken.

The attack, dubbed FREAK (Factoring RSA Export Keys) would allow an attacker in a man-in-the-middle position to force the connection to use 512-bit export-grade RSA keys.

With a sufficiently powerful system, these can be broken in a matter of hours.. Researchers were able to learn the key by leveraging a cluster of EC2 virtual servers, which cost about $100 / €90 to rent.

Given the popularity of OpenSSL, a bug affecting it would create ripples propagating to consumers, too.

An alert about a "high" severity vulnerability should not be treated lightly and developers should prepare for implementing the fresh variant of the library as soon as possible.