There’s a critical vulnerability in some versions of the widely used OpenSSL code library that in some cases allows attackers to impersonate cryptographically protected websites, e-mail servers, and virtual private networks, according to an advisory issued early Thursday morning.
The bug allows attackers to force vulnerable end-user applications into treating an invalid certificate as a legitimate transport layer security (TLS) or secure sockets layer (SSL) credential. As a result, adversaries with the ability to monitor a connection between the end user and trusted server could intercept or even modify data passing between them. The vulnerability resides in OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. The flaw appears to have been added earlier this year, based onthis Github contribution dated January 27. It wasn’t introduced into the actual OpenSSL versions until last month, however.
View full story