Networking

Guard against this OpenSSL vulnerability

The overwhelming number of open source Web sites and the widespread use of OpenSSL to secure connections create a tremendous problem when vulnerabilities emerge. Case in point: In October 2005, the OpenSSL.org Project released a patch to fix a vulnerability in all previously released versions of OpenSSL. Get the details about this vulnerability, and get Mike Mullins' take on the overall challenges of patch management.

According to Internet services company Netcraft's latest poll, open source Web sites dominate the Web site market. The November 2005 survey found that Apache Web servers run on 70 percent of all Web sites. In addition, almost every reputable site that asks you for any personal information will do so using the Secure Sockets Layer (SSL) protocol.

The overwhelming number of open source Web sites and the widespread use of OpenSSL to secure connections create a tremendous problem when vulnerabilities emerge. For example, in October 2005, the OpenSSL.org Project released a patch to fix a vulnerability in all previously released versions of OpenSSL (i.e., all versions up to 0.9.7h and 0.9.8a). For more details about this vulnerability, see the Secunia advisory.

The vulnerability involves a problem with the use of the SSL_OP_MSIE_SSLV2_RSA_PADDING configuration option. Using the SSL_OP_ALL option automatically enables this other option by default.

The SSL_OP_MSIE_SSLV2_RSA_PADDING option is a common configuration workaround that disables a verification step in the SSL 2.0 server, which supposedly prevents active protocol-version rollback attacks. That means an attacker acting as a "man in the middle" can't force a client and server to negotiate the SSL 2.0 protocol, even if these parties both support SSL 3.0 or TLS 1.0. This is intentional due to previously discovered cryptographic weaknesses in SSL 2.0.

This workaround's original purpose was to address interoperability issues between Web servers and the secure applications they serve. This is a classic case of two open source vendors trying to support every conceivable function that a Webmaster might enable on a Web site.

However, in this case, the lack of any application standards has led to a vulnerability that affects roughly three-fourths of all Web sites and comes preinstalled on Red Hat Linux. The OpenSSL Project has published a new version to address this issue and recommends immediate deployment. A patch is also available for those sites that can't upgrade due to interoperability problems with served applications.

While the issue of a newly discovered vulnerability that affects a large percentage of the computers running on the Internet has become quite common, the problem goes much deeper. One of the most persistent problems with software is patch management—and the larger the enterprise, the larger the problem.

Microsoft has taken steps to address this issue with Automatic Updates service. In my opinion, the software company has done a good job of notifying users of available patches and updates.

On the other hand, the open source community continues to struggle with developing an integrated patch management solution. Most administrators have little time to check for patches or read vulnerability notices—if they've even signed up to receive them. That's why it's essential to know exactly what you've deployed on your systems and to check regularly for updates for that software.

Final thoughts

Before you start posting angry comments in this article's discussion, let me stress that I am not advocating dumping open source in favor of Microsoft. Rather, I am campaigning for the open source market to address the problem of patch management and to integrate third-party software into its solution.

If you run a system that connects to the Internet, it's imperative that you know what software is on that system—and keep it up to date. If you don't patch the holes in your system, it's only a matter of time before someone else exploits them.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

0 comments

Editor's Picks