Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
New OpenSSL Flaw Exposes SSL To Man-In-The-Middle Attack
Newest First  |  Oldest First  |  Threaded View
Eamon_Walsh1
50%
50%
Eamon_Walsh1,
User Rank: Apprentice
12/22/2014 | 12:14:44 PM
Re: A serious threat
Given the abundance of DOS attacks on financial verticals, POS and a renewed vigor of ransomware, it does seem like exploiting Heartbleed (or even Poodle, for that matter) is a secondary concern as opposed to the former coterie here. bit.ly/1uNXuNY
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/19/2014 | 2:11:01 AM
Re: A serious threat
Well, I totally agree with you. Heartbleed is more difficult to exploit and anyway the effect of a MITM attack is even more serious. The approach you propose is the correct one.

Regards

Pierluigi
Carrdev
50%
50%
Carrdev,
User Rank: Apprentice
6/18/2014 | 6:20:44 PM
Re: A serious threat
Yes sir, I agree, it is not as bad as heartbleed.  However, a man in the middle attack is much easier to take advantage of than a heartbleed attack.  The heartbleed attack would allow an attacker to gain access to information stored in memory.  You can then take this information and parse it out and come up with something useful in most cases, most likely allowing you to hijack a user's session or get their credentials at least.

 

The man in the middle attack is a problem because of script kiddies.  It is much simpler to implement.  You can download a kit that will walk you through hijacking a session via what version of SSL a server is using and what vulnerabilities are available for that version.  

 

I believe it is best to rebuild any way.  Why not be safe?  I work at an enterprise support company, we rebuild openssl and other native libraries built using the insecure openssl builds.  Contact me if you would like more information, or if you would like to learn FOR FREE, how to patch your ssl/apache/tomcat or anything else.   I am always happy to help.  My blog is at carrdevelopers.com
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/6/2014 | 9:09:34 AM
Re: OH COME ON!!!
Let me share my last post on the topic where I resume all the recent cases

 

Vulnerabilities in OpenSSL and GnuTLS: An Earthquake in Internet Encryption
http://resources.infosecinstitute.com/vulnerabilities-openssl-gnutls-earthquake-internet-encryption/
#securityaffairs #OperSSL #encryption #SSL
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/6/2014 | 3:48:44 AM
Re: A serious threat
Yes OpenSSL is flawed again and probably the flaws are existent since its origin.

Resuming we have for OpenSSL

Hearbleed bug + 6 new vulnerabilities (at least one of them considered critical) that allow MiTM attacks, DoS and remote code execution.

for the GnuTLS implementation it ha s been discovered the Hello vulnerability considered as critical.

None of the above flaws are comparable to the impact of Heatbleed anyway they are critical and represent a serious menace for Internet encryption and affect cyphered communications over unsecure channels.

Patch/updade your system asap, before someone could exploit the flaws.

 

 
JCHANDLER840
50%
50%
JCHANDLER840,
User Rank: Apprentice
6/5/2014 | 4:40:55 PM
Re: A serious threat
Great point, Kelly. I think with more people analyzing OpenSSL, we'll see it get stronger over time. Also, none of today's reported vulnerabiliies involved digital certificates or private keys. With patches available, server remedies can be applied now. This certainly is not Heartbleed. I like the optimism. Thanks for adding some perspective.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
6/5/2014 | 3:37:28 PM
Re: A serious threat
If I'm not mistaken, OpenSSL got some full-time developers through funding from affected organizations in the wake of Heartbleed.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/5/2014 | 1:15:39 PM
OH COME ON!!!
Really? Another SSL vulnerabiliity?! Ugh. I'm so sick of SSL.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/5/2014 | 11:41:29 AM
Re: A serious threat
The good news here--if there is some--is that researchers are now looking more closely at OpenSSL. That ideally should lead to better code, and thus more secure encryption software. #optimism
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/5/2014 | 11:38:50 AM
A serious threat
It is another serious issue that is threatening encryption over unsecure channel. Fortunately the principal consortiums have immediately released the necessary patch. It is fundamental to spread the news.

for the readers let me resume the situation

Heartbleed bug is related to the OpenSSL library, affects both server and clients.

The GnuTLS Hello flaw affects GnuTLS implementation and in the attack scenarios malicious servers are used to exploit the flaw in the client.

 

Impact of Heartbleed is wider thanks GnuTLS 

 

Stay sharp!


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14310
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
CVE-2020-14311
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-5413
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
CVE-2020-5414
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
CVE-2019-11286
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...