Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/5/2014
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

New OpenSSL Flaw Exposes SSL To Man-In-The-Middle Attack

Security advisory includes fixes for six newly discovered bugs in OpenSSL.

Don't look now, but it's time to patch OpenSSL again: A critical flaw discovered in the open-source encryption software could allow an attacker to hijack an SSL/TLS session and decrypt and alter the traffic sent between the client and server machines.

The OpenSSL team today released an update that patches the flaw, classified as critical by SANS Internet Storm Center, as well as five other vulnerabilities.

The SSL/TLS man-in-the middle flaw (CVE-2014-0224) centers around a weakness in the "handshake" between client and server in an OpenSSL SSL/TLS session. "I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers,"  SANS Internet Storm Center head Johannes Ullrich said today in a blog post.

Vulnerable OpenSSL server versions include OpenSSL 1.0.1 and 1.0.2-beta1, and the OpenSSL Project recommends OpenSSL servers earlier than the 1.0.1 update to a newer version "as a precaution." A security advisory issued today by the OpenSSL Project says OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za; OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m; and OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

The vulnerability also affects the most recent versions of OpenSSL server software, notes Nicholas J. Percoco, vice president of strategic services at Rapid7, in an emailed statement:

This likely contains the majority of systems on the Internet, given that most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A Man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed to be encrypted between a client (eg. an end user) and a server (eg. the online bank, etc.). This attack is also passive in nature and will may not be detected by a client, server or network based security controls.

The latest security holes in OpenSSL reflect a new scrutiny of encryption software, post-Heartbleed, something that most security experts predicted would occur.

Tal Klein, vice president of strategy at Adallom, tells us:

I don't think the roof is on fire, but this is a further reminder that companies using open-source components like OpenSSL as part of mission-critical enterprise infrastructure need to invest and participate in those projects. We should get ourselves out of the mindset that open-source software is free just because there are no licensing fees. When adopting open-source software for core functionality, companies should allocate some of the money they're saving by not having to pay for licensing and support to funding, and ideally participating in the project.

The new OpenSSL update also includes patches for a DTLS handshake recursion flaw (CVE-2014-0221) that could result in a denial-of-service attack; a DTLS invalid fragment vulnerability (CVE-2014-0195) that could be exploited in a buffer overrun attack that could run remotely executable code on targeted machines; a null pointer flaw (CVE-2014-0198) that could result in a DoS; a race condition flaw (CVE-2010-5298) that could result in a DoS; and another DoS-related bug (CVE-2014-3470) in OpenSSL clients that use the software's anonymous ECDH cipher suites.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eamon_Walsh1
50%
50%
Eamon_Walsh1,
User Rank: Apprentice
12/22/2014 | 12:14:44 PM
Re: A serious threat
Given the abundance of DOS attacks on financial verticals, POS and a renewed vigor of ransomware, it does seem like exploiting Heartbleed (or even Poodle, for that matter) is a secondary concern as opposed to the former coterie here. bit.ly/1uNXuNY
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/19/2014 | 2:11:01 AM
Re: A serious threat
Well, I totally agree with you. Heartbleed is more difficult to exploit and anyway the effect of a MITM attack is even more serious. The approach you propose is the correct one.

Regards

Pierluigi
Carrdev
50%
50%
Carrdev,
User Rank: Apprentice
6/18/2014 | 6:20:44 PM
Re: A serious threat
Yes sir, I agree, it is not as bad as heartbleed.  However, a man in the middle attack is much easier to take advantage of than a heartbleed attack.  The heartbleed attack would allow an attacker to gain access to information stored in memory.  You can then take this information and parse it out and come up with something useful in most cases, most likely allowing you to hijack a user's session or get their credentials at least.

 

The man in the middle attack is a problem because of script kiddies.  It is much simpler to implement.  You can download a kit that will walk you through hijacking a session via what version of SSL a server is using and what vulnerabilities are available for that version.  

 

I believe it is best to rebuild any way.  Why not be safe?  I work at an enterprise support company, we rebuild openssl and other native libraries built using the insecure openssl builds.  Contact me if you would like more information, or if you would like to learn FOR FREE, how to patch your ssl/apache/tomcat or anything else.   I am always happy to help.  My blog is at carrdevelopers.com
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/6/2014 | 9:09:34 AM
Re: OH COME ON!!!
Let me share my last post on the topic where I resume all the recent cases

 

Vulnerabilities in OpenSSL and GnuTLS: An Earthquake in Internet Encryption
http://resources.infosecinstitute.com/vulnerabilities-openssl-gnutls-earthquake-internet-encryption/
#securityaffairs #OperSSL #encryption #SSL
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/6/2014 | 3:48:44 AM
Re: A serious threat
Yes OpenSSL is flawed again and probably the flaws are existent since its origin.

Resuming we have for OpenSSL

Hearbleed bug + 6 new vulnerabilities (at least one of them considered critical) that allow MiTM attacks, DoS and remote code execution.

for the GnuTLS implementation it ha s been discovered the Hello vulnerability considered as critical.

None of the above flaws are comparable to the impact of Heatbleed anyway they are critical and represent a serious menace for Internet encryption and affect cyphered communications over unsecure channels.

Patch/updade your system asap, before someone could exploit the flaws.

 

 
JCHANDLER840
50%
50%
JCHANDLER840,
User Rank: Apprentice
6/5/2014 | 4:40:55 PM
Re: A serious threat
Great point, Kelly. I think with more people analyzing OpenSSL, we'll see it get stronger over time. Also, none of today's reported vulnerabiliies involved digital certificates or private keys. With patches available, server remedies can be applied now. This certainly is not Heartbleed. I like the optimism. Thanks for adding some perspective.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
6/5/2014 | 3:37:28 PM
Re: A serious threat
If I'm not mistaken, OpenSSL got some full-time developers through funding from affected organizations in the wake of Heartbleed.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/5/2014 | 1:15:39 PM
OH COME ON!!!
Really? Another SSL vulnerabiliity?! Ugh. I'm so sick of SSL.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/5/2014 | 11:41:29 AM
Re: A serious threat
The good news here--if there is some--is that researchers are now looking more closely at OpenSSL. That ideally should lead to better code, and thus more secure encryption software. #optimism
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/5/2014 | 11:38:50 AM
A serious threat
It is another serious issue that is threatening encryption over unsecure channel. Fortunately the principal consortiums have immediately released the necessary patch. It is fundamental to spread the news.

for the readers let me resume the situation

Heartbleed bug is related to the OpenSSL library, affects both server and clients.

The GnuTLS Hello flaw affects GnuTLS implementation and in the attack scenarios malicious servers are used to exploit the flaw in the client.

 

Impact of Heartbleed is wider thanks GnuTLS 

 

Stay sharp!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.