The problem is an error in how the SSL_OP_MSIE_SSLV2_RSA_PADDING option is handled and potentially affects applications using the SSL/TLS server implementation provided by OpenSSL.
"This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third-party software that might prevent interoperability," the OpenSSL Project said in an advisory. The option also "disables a verification step in the SSL 2.0 server [that's] supposed to prevent active protocol-version rollback attacks."
With this verification step disabled, an attacker acting as a man in the middle can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support the more secure SSL 3.0 or TLS 1.0 protocols, the advisory said, adding, "The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only."
The Open Source Project said the vulnerability was found in all previously released versions of OpenSSL, specifically all versions before 0.9.7h and 0.9.8a. The project has released versions 0.9.7h and 0.9.8a to address the problem.
Danish security firm Secunia noted in an advisory that successful exploitation requires that SSL 2.0 is enabled, and either the SSL_OP_MSIE_SSLV2_RSA_PADDING or the SSL_OP_ALL option is used.
The OpenSSL Project describes itself on its Web site as a "collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a full-strength general purpose cryptography library."