AnsweredAssumed Answered

Another OpenSSL critical bug - wrong processing of ChangeCipherSpec messages allows MITM attack - CVE-2014-0224

Question asked by j-mailor on Jun 6, 2014
Latest reply on Jun 23, 2014 by j-mailor

Hi,

looking at the https://isc.sans.edu/forums/diary/Critical+OpenSSL+Patch+Available+Patch+Now+/18211 new OpenSSL six security patches were released yesterday. I have looked at descriptions of those patches and one is in my opinion very important it is even rated as "critical" and alows Man in the Middle attack (MITM). Official name is CVE-2014-0224 and effect only OpenSSL version 1.0.1 when using HTTPS protocol (other patches in my humble opinion are not critical or do not appear with default settings). For 1.0.1 series there is a new patch named: OpenSSL 1.0.1h.

 

Is there a plan to include CVE-2014-0224 test vulnerability in ssllabs.com/ssltest ?

Thanks

 

EDIT 2014-06-09: I was wrong, the problem beside 1.0.1 also effects 0.9.8 and 1.0.0. On web page: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 is stated: "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to ..."

 

EDIT 2014-06-10: According to web page: https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/06/05/june-2014-patch-tuesday-preview-and-new-openssl-mitm-issue  (last paragraph) there is MITM vulnerability only!!! when OpenSSL client communicates with OpenSSL server like some command tools etc. This is not typical web-browser (not using OpenSSL client) communication to web-server (using OpenSSL server). The only bigger issues is an Android devices like Android browsers (Chrome and native) which both are using OpenSSL client to communicate to OpenSSL enabled web-server.

 

Generally speaking if you don't have the latest OpenSSL library at web server then you are vulnerable to this attack, so it would seam that ssllabs.com/ssltest update to reflect this problem is not so urgent. But sometimes it is difficult to find out if web server really is using the latest OpenSSL, for example when 'SSL Heartbleed bug' was patched many Linux distribution did NOT update OpenSSL library from upstream main project, but instead source code was patched downstream (at particular Linux distribution) and fix released, so only checking the version of OpenSSL can be misleading. That is why ssllabs.com/ssltest is so important, so admins do not need to dig into so many different ways of fixing security bugs - specially in diverse environment with different system (probably in most of the companies anyway).

Outcomes