14 DAY TRIAL // Developers of the OpenSSL toolkit were made aware and have fixed a high-security issue that added a certificate forgery vulnerability in their code by updates aimed at previous patched versions.
The issue was introduced in versions 1.0.1n and 1.0.2b, and was detected by Google employees Adam Langley and David Benjamin while working on Google's own version of the OpenSSL toolkit (BoringSSL).
With today's updates, 1.0.2d and 1.0.1p, the OpenSSL team has successfully closed the vulnerability documented in CVE-2015-1793.
How the certificate forgery vulnerability works
As the CVE details, the problem lies in the certificate verification process. If there's an error during this stage, an attacker can force the verification process to skip important stages, like the CA flag check.
This means that the attacker can then issue their own invalid certificates and pass them as valid communication end-point.
"This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication," says the official advisory.
Impact is much smaller than in the case of previous OpenSSL bugs
In simpler terms, this vulnerability basically allows any attacker to act as a Certificate Authority (CA) and then run man-in-the-middle attacks, intercepting private information.
Compared to previous OpenSSL issues, this one, even if potentially dangerous, existed only in OpenSSL releases between June and July 2015, so the possible number of affected clients is also much smaller.
According to Mattias Geniar, almost no Linux operating system is affected by this problem, Red Hat already coming out with an announcement on its part.
In any case, it's better to err on the side of caution, and upgrading for any type of man-in-the-middle vulnerability is highly recommended in any scenario.