Researchers have found a way to hack the OpenSSL verification software used in many VPNs and web servers with forged certificates.
The vulnerability affects a specific set of cryptographic X.509 keys known as PKCS #1 v1, and could allow an attacker to have a non-legitimate and forged certificate accepted as real, compromising and unpatched system.
Versions of the software from 0.9.7j to 0.9.8b are said to be at risk, and the open source project has recommended that anyone using the software should update it immediately.
“Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature,” the advisory warns.
Uncovered by Bell Labs’ cryptographer Daniel Bleichenbacher, the complex exploit was first shown to fellow professionals at Crypto 2006 last month, but has only recently come to light now that a fix has been made available.
The number of vendors affected by the issue is unknown but believed to be extensive given the popularity of the open source OpenSSL toolkit which is frequently used to implement SSL (secure sockets layer) and TLS (transport layer protocols).
-John E. Dunn, Techworld.com (London)
Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.