Those responsible for the OpenSSL encryption tool have released a new version of it where two security flaws detected several days ago are solved.
A High Vulnerability and a Low Risk Vulnerability Take Over OpenSSL
The first of the vulnerabilities, known as CVE-2016-0701 and which is highly dangerous, affects exclusively OpenSSL 1.0.2 due to parameter generation Diffie-Hellman x9.42. These parameters are calculated using safe prime numbers to be truly reliable, however, according to those responsible for OpenSSL it is possible that the technique used is not the most appropriate, and they are forced to update it.
This security flaw could allow an attacker to intercept the negotiations of the secure connections using the supposedly private exponent used in them. To prevent this from happening, we must manually change the SSL_OP_SINGLE_DH_USE option in the configuration, which forces the algorithm to use different Diffie Hellman exponents in each negotiation process, preventing it from being interceded.
OpenSSL 1.0.2 has enabled this option by default so that the security flaw is solved and it does not depend on the users to enable the function. The version 1.0.1 is not affected by this vulnerability as it does not support x9.42 parameters.
The second of the vulnerabilities, CVE-2015-3197, is less important and dangerous than the previous one, and affects both version 1.0.1 and 1.0.2 equally of OpenSSL. This flaw can allow unauthorized modification of encryption negotiations in order to force them through SSLv2 even if this protocol has been disabled.
The new versions, 1.0.1r and 1.0.2f, also improve the security of connections reinforcing mitigation systems against Logjam techniques that allow reducing the security of TSL connections. Now, Diffie Hellman negotiations with TLS can be up to 1024 bits, automatically rejecting all those less than 768 bits. This prevents the security of these negotiations from being broken on a vulnerable server, something that has only been seen in weak connections with algorithms lower than 512 bits.
We can obtain more information about the vulnerabilities and the changes introduced in the previous versions from the link below.
We remember that support for version 1.0.1 ends on December 31, 2016. As of that date, no security patch will be published nor will any vulnerability discovered from entities be corrected, so it is recommended to update to the most recent version, 1.0.2, as soon as possible.
Have you already installed the new versions of OpenSSL?
We recommend you read our tutorial on tips to increase physical security in computers.