OpenSSL LogoThe OpenSSL team has issued a security advisory on June 05, 2014 identifying seven vulnerabilities.  Out of those seven the key one to look into is the SSL/TLS MITM vulnerability (CVE-2014-0224).

The OpenSSL team state, “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL/TLS clients and servers.  This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”

This attack can only be performed between a vulnerable client and server.  The known versions of this vulnerability is OpenSSL 1.0.1 and 1.0.2-beta1.  It is suggested that if you have an earlier version than 1.0.1 that you also upgrade as a precaution.

The patches are now available from OpenSSL and can be downloaded by going to https://www.openssl.org/

  • OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h
  • OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
  • OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8a

The vulnerabilities that were discovered are in the software and not with the Certificate Authorities or SSL/TLS protocols.  This means that SSL-encrypted websites and servers are still secure.  Once the patches are applied to your system you will be secured against the vulnerabilities revealed by the OpenSSL Development team today.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

9 − 4 =