James Delahunty
5 Jun 2014 8:16
An OpenSSL Security Advisory has been issued detailing a flaw (CVE-2014-0224) that could be exploited by Man-in-the-Middle attacks between OpenSSL SSL/TLS clients and servers to decrypt or modify traffic.
It involves the use of a specially-crafted handshake to force the use of a weak keying material in OpenSSL SSL/TLS clients and servers, but can only be performed between a vulnerable client and server. In the worst case, this flaw can be exploited by a Man-in-the-middle (MITM) attack, where a malicious agent can decrypt and/or modify traffic between the client and server.
All OpenSSL clients are vulnerable to this attack, whereas servers are only vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1, therefore it is absolutely necessary that users of OpenSSL servers earlier than v1.0.1 upgrade.
According to the OpenSSL Security Advisory, which detailed this flaw and six other (albeit less severe) issues, the following upgrades are essential.
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
OpenSSL is crediting KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and reporting the issue last month.
Read the rest of the advisory at: www.openssl.org