The OpenSSL team has issued a security advisory on June 05, 2014 identifying seven vulnerabilities. Out of those seven the key one to look into is the SSL/TLS MITM vulnerability (CVE-2014-0224).
The OpenSSL team state, “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”
This attack can only be performed between a vulnerable client and server. The known versions of this vulnerability is OpenSSL 1.0.1 and 1.0.2-beta1. It is suggested that if you have an earlier version than 1.0.1 that you also upgrade as a precaution.
The patches are now available from OpenSSL and can be downloaded by going to https://www.openssl.org/
- OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h
- OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
- OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8a
The vulnerabilities that were discovered are in the software and not with the Certificate Authorities or SSL/TLS protocols. This means that SSL-encrypted websites and servers are still secure. Once the patches are applied to your system you will be secured against the vulnerabilities revealed by the OpenSSL Development team today.