Today the folks at openssl.org published a new vulnerability found in OpenSSL encryption. For those that are not aware, OpenSSL is found on approximately 66% of all websites found on the Internet. You can find the official notice on this vulnerability HERE as well as details posted below. This time its a known bug and yet again, we are being told by the openssl team the remediation for this is to upgrade to the latest version of OpenSSL using the recently patches being released.
The major difference between Heartbleed and this new vulnerability is attackers exploiting Heartbleed are accessing the vulnerable system directly while this new vulnerability is a man-in-the-middle attack meaning the attacker is decrypting traffic between the victim and server. Basically, the attacker steals your data in transit rather than directly off the server, which is just as bad.
Andy Greenberg at wired posted a good writeup on this new vulnerability found HERE. Below is the original release from openssl.org.
“SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue. This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.
The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.”
