OpenSSL Vulnerabilities: A Critical Update for Internet Security
In a shocking revelation, the OpenSSL Foundation has disclosed multiple vulnerabilities in the widely used encryption library, leaving millions of websites vulnerable to attacks. The foundation has issued an urgent appeal to upgrade OpenSSL as soon as possible to mitigate the risks.
The Heart of the Matter: OpenSSL’s Critical Vulnerability
Just a few weeks ago, a critical vulnerability was disclosed that has sent shockwaves across the Internet. OpenSSL is used by millions of websites worldwide to encrypt communications, making it a critical component of online security. Unfortunately, this vulnerability has affected all versions of OpenSSL, including those used by websites, servers, and clients.
The Middle Attack: A Critical Vulnerability
The first critical vulnerability, known as “CCS injection” (CVE-2014-0224), allows an attacker to hijack encrypted communication between a server and a client. This is made possible by exploiting the ChangeCipherSpec (CCS) request during the OpenSSL handshake. An attacker can parse and decrypt the encrypted link or read communication data, but only if both the server and client are affected. According to the OpenSSL report, an attacker can use the handshake to force the use of weak keys for communication between the client and server.
Affected Systems
All versions of OpenSSL clients are affected by this vulnerability, but only versions 1.0.1 and above are vulnerable on service terminals. Some SSL VPN products are particularly vulnerable to this attack.
A Security Researcher’s Discovery
The OpenSSL CCS injection vulnerability was discovered by Masashi Kikuchi, a security researcher from Japan. According to his description, the problem existed in the first release of OpenSSL. RedHat has also explained some of the details of the vulnerability on their security blog.
Additional Vulnerabilities
Two other vulnerabilities have been discovered in OpenSSL:
- Invalid DTLS Debris Vulnerability (CVE-2014-0195): A buffer overflow attack can be caused by sending invalid DTLS debris to a DTLS client or server. This can lead to arbitrary code execution on the affected client or server.
- DTLS Infinite Loop DOS Attack (CVE-2014-0221): A remote attacker can send an invalid DTLS handshake request to a target, causing it to enter an infinite loop and eventually run out of resources and crash. This attack affects only the application using OpenSSL as a DTLS client.
Patch Available
The good news is that these vulnerabilities are not as severe as the CCS injection vulnerability. Patched versions of OpenSSL, including 0.9.8za, 1.0.0m, and 1.0.1h, are already available for download on the OpenSSL official website.
Update Your SSL Implementation
The OpenSSL Foundation has called on manufacturers to update their SSL implementation as soon as possible to mitigate the risks associated with these vulnerabilities.