Get a free application, infrastructure and malware scan report - Scan Your Website Now

Managed WAF

OpenSSL MITM CCS vulnerability and its impact

Posted DateJune 6, 2014
Posted Time 2   min Read

Within weeks of the infamous Heartbleed vulnerability in one of the world’s most commonly used open-source software OpenSSL, more vulnerabilities have been found in OpenSSL. One of the reasons for this is that developers of OpenSSL and others are having a closer look at the OpenSSL code following the discovery of Heartbleed. Yesterday, OpenSSL came up with a security advisory detailing seven vulnerabilities and has released versions fixing these vulnerabilities. While many of them relate to the prevalence of DDoS attacks – dangerous though DDoS attacks are, they don’t make one lose one’s sensitive data – one of the vulnerabilities ( CVE-2014-024) allows a hacker to launch a MITM (man in the middle attack) and snoop on unencrypted data.  The hacker can thus look at sensitive data in the clear, beating OpenSSL’s encryption. The impact is enormous.

To summarize, unlike in the case of Heartbleed where even if either client or server uses OpenSSL, the whole connection would be vulnerable, in this case, both OpenSSL Client and Server have to be vulnerable for exploiting this vulnerability. There being the huge number of other devices using OpenSSL — routers, standalone devices, VPN clients, wifi access points (AP), etc — the vulnerability is important enough.

Briefly, vulnerability is the following. Because of a flaw in OpenSSL implementation, it is possible to launch a man-in-the-middle attack by sending a CCS ( ChangeCipheSpec) request, a single packet to both client and server that forces them to have a zero-length pre-master key. Using this master key, all data can then be easily decrypted and snooped.

All OpenSSL client versions are vulnerable. As to the OpenSSL server, only 1.0.1 and 1.0.2 are vulnerable. OpenSSL recommends however that everyone update their clients and servers. And new versions of OpenSSL have been made available Here are the details for the upgrade:

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.

OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

The best fix for the above then is to upgrade all OpenSSL clients and servers with the above versions that apply. In case you are Indusface customer protecting your website using Indusface WAF, there is a better solution. Indusface WAF has been upgraded to run a version of OpenSSL that has fixed this vulnerability. Since, for this vulnerability to be exploited, both client and server have to be vulnerable, an Indusface WAF that works like a proxy in the middle emulates a server for the client and hence you would be secure.

Of course, you would have to upgrade your OpenSSL clients too so that they are secure when accessing other OpenSSL servers that may be vulnerable.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

DDoS Attack Mitigation Playbook
DDoS Attack Mitigation Playbook for SOC and DevOps Teams

Facing DDoS threats? Arm your SOC & DevOps teams with effective mitigation strategies. Explore geo-fencing, IP blacklisting, and rate limiting in our playbook.

Read More
Types of DDoS Mitigation Services
The Right Choice – Types of DDoS Mitigation Services Demystified

According to Gartner, downtime costs enterprises around $5,600 per minute. For any business, it is a significant loss since the median downtime of a DDoS attack lasts between seven to.

Read More
poor firewall implementation paves way for DDoS attacks
Poor Firewall Implementations Pave Wave for DDoS Attacks

What are these implementation flaws that make firewalls susceptible to DDoS attacks? What can you do to fortify their security posture?

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!