PDA

View Full Version : NEW OpenSSL vulnerabilities!



Suraf
20-06-14, 08:42 PM
Thanks to Katos at Lordcraft for making this announcement! I'm enforcing this announcement here to help anyone else whom have no clue about these vulnerabilities but uses OpenSSL.


New OpenSSL vulnerabilities
The OpenSSL team announced seven vulnerabilities (https://www.openssl.org/news/secadv_20140605.txt) covering OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 (i.e. all versions) earlier this week.


The most serious of which is the potential Man in the middle attack:




OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.



Everyone who uses OpenSSL in their software or on their server should upgrade as soon as possible; the OpenSSL team has released new versions (https://www.openssl.org/).


Cloudflare and the above
Those of you running cloudflare should be pleased to hear that cloudflare patched this vulnerability pretty damn quick, and they are now protected from the above, however they (as do I myself) strongly recommend updating any base-line OpenSSL that you have on your system (basically, don't rely on Cloudflare to secure you... because it wont.) You can view the "new versions" link above to do this.


Hope this helps,
Thanks,
Katos.





Credits: Katos

katos
21-06-14, 09:27 AM
Thanks for crediting myself, much appreciated.
Hope that people find this useful! :)