The OpenSSL project team has patched two vulnerabilities in the cryptographic library and enhanced the strength of existing cryptography used by OpenSSL versions 1.0.1 and 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2f, and 1.0.1 users should upgrade to 1.0.1r to take advantage of the cryptographic improvements, according to the security advisory.
The high-priority bug addresses an issue in how some Diffie-Hellman parameters are generated in OpenSSL 1.0.2 (CVE 2016-0701). Historically, the parameters were generated using only "safe" prime numbers, but primes generating X9.42 style parameter files, such as those required for RFC 5114 support, may not be safe after all.
"Where an application is using DH configured with parameters based on primes that are not safe, then an attacker could use this fact to find a peer's private DH exponent," the advisory said.
An attacker could potentially complete multiple handshakes with a vulnerable server to discover the TLS server's private Diffie-Hellman exponent if the server was reusing the private exponent or using a static ciphersuite. OpenSSL has the SSL_OP_SINGLE_DH_USE option for ephemeral Diffie Hellman in TLS, which was turned off by default. In situations where the option was not set, the server would reuse the same private exponent for the life of the server process, making the server vulnerable to this type of attack.
"It is believed that many popular application do set this option and would therefore not be at risk," OpenSSL said.
In the updated 1.0.2f release, the SSL_OP_SINGLE_DH_USE option is turned on by default and cannot be disabled. Another check for whether a "q" parameter (as is the case in X9.42 based parameters) is available was added as well.
There may be a performance impact, but this is "the only possible defense for statis DH ciphersuites," the security advisory warned.
OpenSSL 1.0.1 is not affected because it does not support X9.42 parameters, but the changes to the SSL_OP_SINGLE_DH_USE option has also been backported to 1.0.1r.
The other vulnerability, which affects both 1.0.1 and 1.0.2, can let a malicious client negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes (CVE 2015-3197). It doesn't matter if all SSLv2 ciphers have been disabled, the client-side attack would succeed if the SSLv2 protocol was not disabled via the SSL_OP_NO_SSLv2 option. This bug was rated as low priority.
OpenSSL also enhanced the strength of the cryptography used to mitigate the Logjam downgrade vulnerability in TLS. Logjam (CVE 2015-4000) refers to the vulnerability in the TLS protocol that allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit cryptography. This meant that attackers could break and read any encrypted traffic.
OpenSSL mitigated Logjam in versions 1.0.2.b and 1.0.1n by rejecting handshakes with parameters shorter than 768 bits. In versions 1.0.2f and 1.0.1r, the limit has been raised to 1,024 bits, offering "stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange."
The project team also warned that support for OpenSSL 0.9.8 and 1.0.0 ended on Dec. 31, 2015, and are no longer receiving security updates. Support for OpenSSL version 1.0.1 will be ending on Dec. 31, 2016, according to the advisory. Up until that date, only security fixes will be applied. Anyone using OpenSSL should be upgrading to 1.0.2.