All the latest UK technology news, reviews and analysis


OpenSSL man-in-the-middle flaw found after 16 years

06 Jun 2014
cyber-security-web

A 16-year-old flaw in OpenSSL has been uncovered, just two months after the Heartbleed saga came to light.

An advisory notice on the OpenSSL website reports that a man-in-the-middle vulnerability – referred to as CVE-2014-0224 – was uncovered by security researcher Masashi Kikuchi.

“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” the advisory states.

It adds that the attack can only be performed if both the client and server are vulnerable, which will be the case if servers are running OpenSSL 1.0.1 or 1.0.2-beta1.

“Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution,” the notice says.

Kikuchi helped to produce a fix for the problem that was finalised by Stephen Henson of the OpenSSL core team and is available to download and install from here.

Kikuchi provided more information on how he uncovered the bug on a blog post, revealing that the issue had never been found before due to insufficient code checks.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," he wrote.

“If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code and they could have detected the problem.”

Nicholas Percoco, vice president of strategic services at security firm Rapid7, said that given most servers had been upgraded to the most recent version after Heartbleed, millions could be affected by this latest threat.

"The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent.

"This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year.”

The latest security woes around OpenSSL show that the two new staff being sought by The Linux Foundation to work on the technology will have plenty to keep them occupied.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth
About

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
13%
3%
9%
4%
22%
4%
45%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Vendor Services Manager (IT) - Central London

Vendor Services Manager (IT) - Central London A truly...

Data Quality Analyst

Our vision is to make Lloyds Banking Group the best bank...

Contract Cloud AWS - Consultant Engineer Urgent

Contract Cloud Consultant Engineer -AWS Milton Keynes...

IT/IS Manager Infrastructure (hands-on)

IT/IS Manager Infrastructure (hands-on) North West/Lancashire...
To send to more than one email address, simply separate each address with a comma.