New OpenSSL Flaw Exposes SSL To Man-In-The-Middle AttackNew OpenSSL Flaw Exposes SSL To Man-In-The-Middle Attack
Security advisory includes fixes for six newly discovered bugs in OpenSSL.
June 5, 2014
Don't look now, but it's time to patch OpenSSL again: A critical flaw discovered in the open-source encryption software could allow an attacker to hijack an SSL/TLS session and decrypt and alter the traffic sent between the client and server machines.
The OpenSSL team today released an update that patches the flaw, classified as critical by SANS Internet Storm Center, as well as five other vulnerabilities.
The SSL/TLS man-in-the middle flaw (CVE-2014-0224) centers around a weakness in the "handshake" between client and server in an OpenSSL SSL/TLS session. "I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers," SANS Internet Storm Center head Johannes Ullrich said today in a blog post.
Vulnerable OpenSSL server versions include OpenSSL 1.0.1 and 1.0.2-beta1, and the OpenSSL Project recommends OpenSSL servers earlier than the 1.0.1 update to a newer version "as a precaution." A security advisory issued today by the OpenSSL Project says OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za; OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m; and OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
The vulnerability also affects the most recent versions of OpenSSL server software, notes Nicholas J. Percoco, vice president of strategic services at Rapid7, in an emailed statement:
This likely contains the majority of systems on the Internet, given that most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A Man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed to be encrypted between a client (eg. an end user) and a server (eg. the online bank, etc.). This attack is also passive in nature and will may not be detected by a client, server or network based security controls.
The latest security holes in OpenSSL reflect a new scrutiny of encryption software, post-Heartbleed, something that most security experts predicted would occur.
Tal Klein, vice president of strategy at Adallom, tells us:
I don't think the roof is on fire, but this is a further reminder that companies using open-source components like OpenSSL as part of mission-critical enterprise infrastructure need to invest and participate in those projects. We should get ourselves out of the mindset that open-source software is free just because there are no licensing fees. When adopting open-source software for core functionality, companies should allocate some of the money they're saving by not having to pay for licensing and support to funding, and ideally participating in the project.
The new OpenSSL update also includes patches for a DTLS handshake recursion flaw (CVE-2014-0221) that could result in a denial-of-service attack; a DTLS invalid fragment vulnerability (CVE-2014-0195) that could be exploited in a buffer overrun attack that could run remotely executable code on targeted machines; a null pointer flaw (CVE-2014-0198) that could result in a DoS; a race condition flaw (CVE-2010-5298) that could result in a DoS; and another DoS-related bug (CVE-2014-3470) in OpenSSL clients that use the software's anonymous ECDH cipher suites.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report
Build a Case for a Password Manager