New vulnerabilities were discovered yesterday in multiple programs using OpenSSL, one of the standard cryptography libraries on Linux and Unix systems. Due to a common mistake in checking return values from functions checking digital signatures, several programs may be vulnerable to spoofing of digital signatures.
The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. Bind have released BIND 9.6.0-P1 this morning to fix this bug.
The common mistake is in the checking of return values from functions in OpenSSL that check digital signatures. Programmers have failed to allow for all the possible return values of the
EVP_VerifyFinal function, and as a result some cases where the signature has not been successfully checked can be mistakenly treated as successfully verified.
OpenSSL's developers also made the same mistake in their own code. OpenSSL 0.9.8j was released yesterday to fix a number of bugs within the OpenSSL library where signatures could be accepted incorrectly. According to the OpenSSL advisory, these bugs affect the signature checks on DSA and ECDSA keys used with SSL/TLS. Clients using unpatched versions of OpenSSL are vulnerable to man-in-the-middle attacks when connecting to SSL/HTTPS servers with DSA certificates. Fortunately, DSA certificates on websites are very rare — we find only 31 third-party-validated DSA certificates in the Netcraft SSL survey.
It is likely that other programs using OpenSSL have made the same mistake. The advisory identifies a number of other affected programs, including NTP, lasso and Sun Grid Engine — in each case, new versions are or will soon be available fixing the bug .