OpenSSL.org Project on Tuesday released a software update to fix a flaw in all previously released versions of OpenSSL—up to versions 0.9.7h and 0.9.8a—that could allow hackers to compromise ostensibly secure Web servers.
The vulnerability could allow a hacker to force an OpenSSL-enabled site to use the outdated—and potentially insecure—SSL version 2.0 protocol.
A number of secure Web sites allow visitors to connect using earlier versions of SSL (Secure Sockets Layer), an option which can be enabled by OpenSSLs SSL_OP_ALL setting.
Web servers normally default to the most current encryption protocol supported by the users browser—usually TLS or SSL version 3, OpenSSL said.
But a flaw in the SSL_OP_ALL implementation could allow an attacker to trick the server into using SSL 2.0, OpenSSL said.
“With this verification step disabled, an attacker acting as a “man in the middle” can force a client and a server to negotiate the SSL 2.0 protocol, even if these parties both support SSL 3.0 or TLS 1.0,” the OpenSSL advisory says.
“The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only.”
The OpenSSL Project advises users to either upgrade their server software with the latest version or disable SSL 2.0 entirely.
“If this version upgrade is not an option at the present time, alternatively the following patch may be applied to the OpenSSL source code to resolve the problem.
“The patch is compatible with the 0.9.6, 0.9.7, and 0.9.8 branches of OpenSSL,” OpenSSL said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.