The common mistake is in the checking of return values from functions in OpenSSL that check digital signatures. Programmers have failed to allow for all the possible return values of the EVP_VerifyFinal
function, and as a result some cases where the signature has not been successfully checked can be mistakenly treated as successfully verified.
OpenSSL’s developers also made the same mistake in their own code. OpenSSL 0.9.8j was released yesterday to fix a number of bugs within the OpenSSL library where signatures could be accepted incorrectly. According to the OpenSSL advisory, these bugs affect the signature checks on DSA and ECDSA keys used with SSL/TLS. Clients using unpatched versions of OpenSSL are vulnerable to man-in-the-middle attacks when connecting to SSL/HTTPS servers with DSA certificates. Fortunately, DSA certificates on websites are very rare — we find only 31 third-party-validated DSA certificates in the Netcraft SSL survey.
It is likely that other programs using OpenSSL have made the same mistake. The advisory identifies a number of other affected programs, including NTP, lasso and Sun Grid Engine — in each case, new versions are or will soon be available fixing the bug .