Another leak in OpenSSL discovered

Two months after a critical vulnerability in OpenSSL was discovered, another dangerous bug in the code has come to light. Attackers can perform a man-in-the-middle attack, but only if the victim also uses OpenSSL.

The vulnerability could allow an attacker to force weak encryption into an OpenSSL connection if they are able to intercept the network traffic. The content of the communication can then be cracked thanks to the weak encryption, according to an OpenSSL security bulletin.

The vulnerability can only be used if both the server and client are vulnerable to the bug. Therefore, users using other SSL/TLS software are not vulnerable. Firefox, Safari and the desktop version Chrome, among others, use a different ssl/tls library than OpenSSL, so users of those browsers have nothing to fear. The Android version of Chrome does use OpenSSL again.

The OpenSSL team has released an update for the software. Patching the bug took over a month; on May 1, a Japanese researcher found the security flaw, but the update wasn’t released until Thursday.

The bug comes two months after a much more serious vulnerability was discovered in the OpenSSL code that allowed an attacker to read small portions of the internal memory of a server running OpenSSL. As a result, private keys, unencrypted passwords and other sensitive data were potentially on the street. A test by CloudFlare, which configured a vulnerable server and connected it to the internet, showed this to be the case in practice.