OpenSSL just released several patches to fix vulnerabilities in the open-source cryptographic library, including a couple of high-severity flaws (CVE-2016-2107, CVE-2016-2108) that could be exploited to decrypt HTTPS Traffic.
The CVE-2016-2107 could be exploited by hackers to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.
The Padding Oracle decryption flaw allows an attacker to repeatedly probe an encrypted payload in the attempt to retrieve the plaintext. The flaw was first spotted by Juraj Somorovsky that released also a tool called TLS-Attacker to exploit it.
According to the experts, the flaw affects the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.
“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”
The second flaw (CVE-2016-2108), ranked as a high-severity issue, is a buffer overflow vulnerability in the OpenSSL that only affects OpenSSL versions prior to April 2015.
The ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow resulting in memory corruption due to the writing out-of-bounds in the i2c_ASN1_INTEGER. An attacker can exploit the vulnerability to execute malicious code on the web server.
“This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. In previous versions of OpenSSL, ASN.1 encoding the value zero represented as a negative integer can cause a buffer underflow with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does not normally create “negative zeroes” when parsing ASN.1 input, and therefore, an attacker cannot trigger this bug.” states the advisory.
If an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger the flaw causing the out-of-bounds write. The flaw can be triggered, for example, by using maliciously-crafted digital certificates signed by trusted certificate authorities.
“Applications that parse and re-encode X509 certificates are known to be vulnerable. Applications that verify RSA signatures on X509 certificates may also be vulnerable; however, only certificates with valid signatures trigger ASN.1 re-encoding and hence the bug. “
OpenSSL also fixed other four low-severity vulnerabilities, a memory exhaustion issue, a bug that resulted in arbitrary stack data being returned in the buffer and two overflow vulnerabilities.
Administrators using OpenSSL versions 1.0.1 and 1.0.2 need to install the security updates as soon as possible.