What is it?
Patches have been released this week for six newly discovered OpenSSL vulnerabilities, one of which (CVE-2014-0224) allows an attacker with access to SSL traffic to decrypt communications if they have gained access to the SSL traffic. The attack requires vulnerable versions of both client and server software to be in use and will not work if just the client or server is vulnerable. Following the Heartbleed vulnerability, OpenSSL is now being scrutinised very closely so expect to see further updates released in the coming weeks and months.
Although the CVE-2014-0224 vulnerability is a Man-in-the-Middle attack that requires access to the SSL traffic, this can be achieved with a number of techniques such as ARP spoofing on a local network segment and DNS poisoning across the Internet. Man-in-the-Middle attacks are hard to detect by NIDS (Network Intrusion Detection Systems) and HIDS (Host Intrusion Detection Systems) as they are performed against the traffic and not directly against the servers or clients. Typically the servers and clients see what appears to be completely normal traffic.
Am I affected?
Servers running OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable and the OpenSSL Project recommends OpenSSL servers earlier than the 1.0.1 update to a newer version. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za; OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m; and OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
Most common browsers (Firefox, Chrome and Internet Explorer) are not vulnerable as they do not use OpenSSL (apart from Google Chrome on Android platforms which does), however machine-to-machine communications using OpenSSL on both sides are vulnerable, such as OpenSSL-based VPN connections.
After the Heartbleed vulnerability most organisations will have upgraded to the one of the OpenSSL server versions vulnerable to this attack so the majority are OpenSSL servers are currently vulnerable.
The OpenSSL patches also include fixes for the other newly discovered vulnerabilities including a DTLS invalid fragment vulnerability that could be used to execute malicious software on OpenSSL clients and servers although no known exploits are currently available. Other vulnerabilities can be used to perform Denial of Service (DoS) attacks against various versions of OpenSSL server.
All OpenSSL users should upgrade to the latest version of their OpenSSL fork:
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.7
Where can I get the fix?
The updates can be obtained at the following address: https://www.openssl.org/source/
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.