OpenSSL vulnerable to Man-in-the-Middle attack

Written by James Delahunty @ 05 Jun 2014 8:16

An OpenSSL Security Advisory has been issued detailing a flaw (CVE-2014-0224) that could be exploited by Man-in-the-Middle attacks between OpenSSL SSL/TLS clients and servers to decrypt or modify traffic.

It involves the use of a specially-crafted handshake to force the use of a weak keying material in OpenSSL SSL/TLS clients and servers, but can only be performed between a vulnerable client and server. In the worst case, this flaw can be exploited by a Man-in-the-middle (MITM) attack, where a malicious agent can decrypt and/or modify traffic between the client and server.

All OpenSSL clients are vulnerable to this attack, whereas servers are only vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1, therefore it is absolutely necessary that users of OpenSSL servers earlier than v1.0.1 upgrade.

According to the OpenSSL Security Advisory, which detailed this flaw and six other (albeit less severe) issues, the following upgrades are essential.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

OpenSSL is crediting KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and reporting the issue last month.

Read the rest of the advisory at: www.openssl.org

Tags: OpenSSL

<Microsoft: Xbox One to get GPU power boost >Xbox One controller PC drivers now available

Comments have been disabled for this article.

	Sony suspends memory card sales because memory chips are simply not available (28 Mar 2026 6:49) Sony has announced that it is temporarily suspending the sale of memory cards used in mobile phones and digital cameras, among other things. The company states that the reason is problems with the availability of memory chips.
	Austria plans to ban social media for under 14 year olds (28 Mar 2026 6:17) Austria is planning to ban social media for children under 14. The reform aims to protect children from harmful effects and addictions, but at the same time, it is problematic from a privacy perspective.
	TP-Link urges users to update their routers - several vulnerabilities patched (26 Mar 2026 1:56) Serious security vulnerabilities have been discovered in several TP-Link router models, for which patches were released at the end of March 2026. The company urges users to update their router software immediately.
	Google: The feared Q-Day is now expected to happen in 2029 (25 Mar 2026 4:32) Google has advanced its estimate of when current forms of encryption will become insecure. The moment is called Q-Day, or Quantum Day, when the computational power of quantum computers will be sufficient to break currently used encryptions.
	OpenAI shuts down its AI video service Sora (24 Mar 2026 6:28) OpenAI has decided to shut down Sora, its AI video creator, just months after its release. The decision is due to issues such as copyright problems and the deepfake phenomenon.

OpenSSL vulnerable to Man-in-the-Middle attack

Latest news

Reviews

News archive

Subscribe

Sections:

Follow us:

	Review: Roborock Saros Z70 - robot vacuum with an arm In out in-depth review of Roborock Saros Z70 we put the robot vacuum through a 3 month test period, where we observed its work in normal home. The sci-fi -like arm of Z70 was a little bit disappointing, due its limited functionality.
	Roborock Saros 10 review - Great, but not perfect We tested Roborock Saros 10 robot vacuum for more than two months in order to see whether it is really worth its hefty price tag. The mopping, self-emptying Saros 10 was mostly great, even perfect. But its object avoidance was bit disappointing. 1 user comment
	Roborock S8 MaxV Ultra review - obstacle avoidance doesn't work as it should, otherwise almost perfect robot vacuum We put the Roborock S8 MaxV Ultra through a very, very long review process. The $1800 mopping robot vacuum is almost perfect, but its obstacle avoidance was surprisingly bad, considering the price - and compared to its competitors.