It took the developers of OpenSSL just over two weeks to patch a high severity vulnerability that allows attackers to obtain information that could be used to decrypt secure traffic. The flaw, identified as CVE-2016-0701, was reported on January 12 by Antonio Sanso of Adobe and it was patched by the OpenSSL Project on Thursday with the release of version 1.0.2f. The researcher’s attack is based on a key recovery method described in a paper published in 1997. Starting with OpenSSL 1.0.2, developers introduced support for generating X9.42 style parameter files as required in RFC 5114. The problem is that the primes in these files may not be “safe,” which in certain circumstances could allow an attacker to obtain the key needed to decrypt traffic.
View full story
ORIGINAL SOURCE: Security Week
