OpenSSL releases patches for critical MITM, code execution flaws

OpenSSL users, you need to patch again. The OpenSSL team released a security update that fixes 6 vulnerabilities, two of which could be considered critical.

The first one is an SSL/TLS MITM vulnerability (CVE-2014-0224). “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” it has been explained.

“The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”

“The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren’t affected. None the less, all OpenSSL users should be updating,” commented Adam Langley, a researcher on Google’s security team, and offered his own analysis of the flaw.

The flaw was unearthed by researcher Masashi Kikuchi, who explained more about the bug and how he discovered it in a blog post.

“This bug has existed since the very first release of OpenSSL,” he noted, then added: “The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”

SANS ISC CTO Johannes Ullrich noted that while the flaw is serious, “in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers.”

He also defines the DTLS invalid fragment vulnerability (CVE-2014-0195) patched in the same update as critical, as it may lead to arbitrary code execution on a vulnerable client or server. Luckily, only applications using OpenSSL as a DTLS client or server affected.

“The newly disclosed OpenSSL vulnerability (CVE-2014-0224) allows an active network attacker to inject ChangeCipherSpec (CCS) messages into the handshake to force use of weak encryption keys. This is a serious and easily exploitable vulnerability, but it’s limited by the fact that both sides must run a vulnerable version of OpenSSL. On the client side, OpenSSL is vulnerable in all versions. On the client side, OpenSSL versions in the 1.0.1 branch are vulnerable.

“Given that browsers generally do not rely on OpenSSL, most users will be safe. However, the Android browser as well as Chrome for Android, do use OpenSSL, and might be affected. Further, OpenSSL is very often used in command line utilities and for programmatic access. According to SSL Pulse, about 24% of the servers from our data set use a version from the OpenSSL 1.0.1 branch,” Ivan Ristic, Director of Engineering at Qualys, commented the dangers of the CVE-2014-0224 vulnerability.

“On the surface, the fact that the vulnerability requires man in the middle positioning for exploitation is limiting, but as better tools are developed, automation might enable easy mass-exploitation on wi-fi networks and similar environments. For example, password and session identifier harvesting from popular web sites could be easily automated.”