Vulnerable versions of OpenSSL apparently still widely deployed on commerce sites

The UK National Infrastructure Security Co-ordination Centre (NISCC) developed a test suite for SSL/TLS implementations, designed to detect vulnerabilities caused by the implementation responding badly to deliberately malformed certificate syntax. These tests have been run against a number of Vendors' implementations, several of which are either vulnerable to some extent, or are still awaiting the manufacturer's feedback, and the results are sumarised on the NISCC web site.

The tests were made available to the OpenSSL team, and three specific vulnerabilities were found. These could result in denial of service, or theoretically allow execution of arbitrary code, when OpenSSL is presented with a malformed client certificate. The fixes for these problems are available in the latest versions (0.9.6k and 0.9.7c).

No. of
0.9.6d and
25539 30-Jul-2002 Practical to run arbitrary code remotely
0.9.6e-h and
14116 19-Feb-2003 Practical (LAN) attack to recover frequently repeated plaintext such as passwords
0.9.6i and
5877 17-Mar-2003
Practical (LAN) attacks to obtain or use secret key
0.9.6j and
4003 30-Sep-2003 Denial of Service, and theoretically possible run arbitrary code remotely
0.9.6k and
1356   Clean at present
Total all

The table shows counts of OpenSSL versions found in October SSL server survey, restricted to cases where the server signature string appeared to include a valid OpenSSL description. The version numbers are grouped by the OpenSSL security advisories which apply to them (normally an advisory given against a later version will also apply to an earlier version, in addition to the specific advisory given for that earlier version).

In the notes on the effect of an attack, some exploits are described as practical on a LAN only, meaning that the attacking machine has to have a fast network connection to the target. However, people with hosted SSL sites should take note that any other machine in the same datacenter as their machine will have high speed network access to their site, and that attackers can often obtain fraudulent access to dedicated servers for a few days.

Just over half of all sites for which we are able to determine the OpenSSL version have banners indicating that they are still using software which is vulnerable to the most serious attack - the one described in the July 2002 advisory - as well as the more recently discovered problems. Sites using versions of OpenSSL up to 0.9.6d are open to remote execution of arbitrary code, running under the username of the process which invokes OpenSSL.

However, relying on version numbers to determine the number of vulnerable OpenSSL sites is flawed because vendors backport security patches. So a site using OpenSSL on a Red Hat 9 system will likely report itself as OpenSSL 0.9.7a even though it isn't vulnerable to any of the issues mentioned and the situation is similar for SuSE, Debian, Mandrake, and most of the Linux distributions. Additionally, many of the vendor distributions of Apache have recently started supressing all the extra module information by default, so newer distributions (ones that are not vulnerable) are less likely to be listed.

This leads to a situation which is confusing and may make security amongst OpenSSL sites appear worse than it actually is. However, it is likely that many of the sites shown as running earlier, vulnerable versions of OpenSSL really are unpatched. This emphasises again that with SSL, although the transit of the information over the internet may be encrypted and secure, once the information reaches the server itself, absolutely nothing can be taken for granted.