Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
New OpenSSL Flaw Exposes SSL To Man-In-The-Middle Attack
Newest First  |  Oldest First  |  Threaded View
Eamon_Walsh1
50%
50%
Eamon_Walsh1,
User Rank: Apprentice
12/22/2014 | 12:14:44 PM
Re: A serious threat
Given the abundance of DOS attacks on financial verticals, POS and a renewed vigor of ransomware, it does seem like exploiting Heartbleed (or even Poodle, for that matter) is a secondary concern as opposed to the former coterie here. bit.ly/1uNXuNY
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/19/2014 | 2:11:01 AM
Re: A serious threat
Well, I totally agree with you. Heartbleed is more difficult to exploit and anyway the effect of a MITM attack is even more serious. The approach you propose is the correct one.

Regards

Pierluigi
Carrdev
50%
50%
Carrdev,
User Rank: Apprentice
6/18/2014 | 6:20:44 PM
Re: A serious threat
Yes sir, I agree, it is not as bad as heartbleed.  However, a man in the middle attack is much easier to take advantage of than a heartbleed attack.  The heartbleed attack would allow an attacker to gain access to information stored in memory.  You can then take this information and parse it out and come up with something useful in most cases, most likely allowing you to hijack a user's session or get their credentials at least.

 

The man in the middle attack is a problem because of script kiddies.  It is much simpler to implement.  You can download a kit that will walk you through hijacking a session via what version of SSL a server is using and what vulnerabilities are available for that version.  

 

I believe it is best to rebuild any way.  Why not be safe?  I work at an enterprise support company, we rebuild openssl and other native libraries built using the insecure openssl builds.  Contact me if you would like more information, or if you would like to learn FOR FREE, how to patch your ssl/apache/tomcat or anything else.   I am always happy to help.  My blog is at carrdevelopers.com
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/6/2014 | 9:09:34 AM
Re: OH COME ON!!!
Let me share my last post on the topic where I resume all the recent cases

 

Vulnerabilities in OpenSSL and GnuTLS: An Earthquake in Internet Encryption
http://resources.infosecinstitute.com/vulnerabilities-openssl-gnutls-earthquake-internet-encryption/
#securityaffairs #OperSSL #encryption #SSL
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/6/2014 | 3:48:44 AM
Re: A serious threat
Yes OpenSSL is flawed again and probably the flaws are existent since its origin.

Resuming we have for OpenSSL

Hearbleed bug + 6 new vulnerabilities (at least one of them considered critical) that allow MiTM attacks, DoS and remote code execution.

for the GnuTLS implementation it ha s been discovered the Hello vulnerability considered as critical.

None of the above flaws are comparable to the impact of Heatbleed anyway they are critical and represent a serious menace for Internet encryption and affect cyphered communications over unsecure channels.

Patch/updade your system asap, before someone could exploit the flaws.

 

 
JCHANDLER840
50%
50%
JCHANDLER840,
User Rank: Apprentice
6/5/2014 | 4:40:55 PM
Re: A serious threat
Great point, Kelly. I think with more people analyzing OpenSSL, we'll see it get stronger over time. Also, none of today's reported vulnerabiliies involved digital certificates or private keys. With patches available, server remedies can be applied now. This certainly is not Heartbleed. I like the optimism. Thanks for adding some perspective.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
6/5/2014 | 3:37:28 PM
Re: A serious threat
If I'm not mistaken, OpenSSL got some full-time developers through funding from affected organizations in the wake of Heartbleed.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/5/2014 | 1:15:39 PM
OH COME ON!!!
Really? Another SSL vulnerabiliity?! Ugh. I'm so sick of SSL.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/5/2014 | 11:41:29 AM
Re: A serious threat
The good news here--if there is some--is that researchers are now looking more closely at OpenSSL. That ideally should lead to better code, and thus more secure encryption software. #optimism
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/5/2014 | 11:38:50 AM
A serious threat
It is another serious issue that is threatening encryption over unsecure channel. Fortunately the principal consortiums have immediately released the necessary patch. It is fundamental to spread the news.

for the readers let me resume the situation

Heartbleed bug is related to the OpenSSL library, affects both server and clients.

The GnuTLS Hello flaw affects GnuTLS implementation and in the attack scenarios malicious servers are used to exploit the flaw in the client.

 

Impact of Heartbleed is wider thanks GnuTLS 

 

Stay sharp!


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27491
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.
CVE-2021-27495
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint.
CVE-2021-32807
PUBLISHED: 2021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict acce...
CVE-2021-22521
PUBLISHED: 2021-07-30
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.
CVE-2021-34629
PUBLISHED: 2021-07-30
The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.